Feds Allegedly Demanding User Passwords From Services 339
An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."
Sigh. (Score:5, Insightful)
Re: (Score:3, Insightful)
Aye, as if it wasn't already easy enough for them to frame someone.
Re:Sigh. (Score:5, Interesting)
As sad as it is, I have to agree. This doesn't surprise me one bit. I mean, investigating is hard! Can't have criminals hide behind things like strong encryption! Ergo, no one can use encryption.
That said, I'm hoping we're slowly getting to a tipping point on the entire privacy vs security discussion. 9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.
Re:Sigh. (Score:4, Insightful)
Don't worry, there will be another false flag 9/11-style event. People will give up more freedom and privacy. You can be guaranteed of that.
Re: (Score:3, Insightful)
The governments' reaction to 9/11 - using it as an excuse for more corruption, more surveillance, more wars, and more curtailing of the Constitution - should be enough to question the motivations behind the event. Calling a person crazy for questioning the 'official story' which itself says it fails to explain multiple events like Building 7 falling is calling a person crazy for attempting rational thought.
It would be crazy not to have questions about that whole sequence of events.
Re: (Score:3)
1,960 architects and engineers disagree with you
Yes, and hundreds of scientists [wikipedia.org] have petitioned for getting rid of the evolution theory. You know what's the logical conclusion? You can find a small percentage of loonies anywhere. The mere impossibility of counting them with your fingers doesn't change the fact that they are simply perplexed.
Re:Sigh. (Score:4, Insightful)
1,960 architects and engineers disagree with you
Yes, and hundreds of scientists have petitioned for getting rid of the evolution theory. You know what's the logical conclusion? You can find a small percentage of loonies anywhere. The mere impossibility of counting them with your fingers doesn't change the fact that they are simply perplexed.
Then, like the debate over evolution, you should ask yourself who is making self-referential arguments. Creationists ritually call evolutionists bad names, too.
The official take on WTC7 boils down to this: 'Despite what engineers are taught, a small fire could bring down that building because that's what we say happened.' Your side not only asserts this logical fallacy, but also resorts to ad hominem with great frequency.
I don't even deny that some of the people who reject the official account of 9-11 are loonies; some people will latch onto virtually any conspiracy theory. But its becoming apparent that there are a great deal more lunatics in the official church of 9-11 who prefer baying for blood and trashing enlightenment principles. So at the very least, its pot meet kettle.
Re: (Score:3)
1,960 architects and engineers disagree with you [architects-engineers.org] and consider the official story to be questionable. Modern steel skyscrapers don't fall because of small fires, even if they burn for hours. The idea that an unplanned mishap would result in such a buiding's freefall--with no internal resistance--is an absurdity.
Hello ModTroll...
I should have said "TrollMods". :)
Re: (Score:3, Insightful)
Funny that you tell other people they need medication, yet you ignore facts. I realize that it hurts peoples heads to think that their Government is corrupted, but facts show that to be absolutely true. The USA has become everything we used to despise in Stalin, Mao, and Hitler. At least weekly I read reports of SS agents, er. some federal agency, raiding an innocent business or house detaining innocent people for hours. I read at least weekly about something corrupt, where nobody in any Govt. agency is
Re:Sigh. (Score:4)
Re: (Score:3)
millions of dead
Check, no world war level death toll but it's not exactly non-existent either.
economic misery for the survivors
Time will tell on that one. Checked your deficit lately? Hitler did pretty damn well for the economy for a while there. Then things caught up with them and they lost a war.
Re: (Score:3)
No. No check. I was talking about millions killed by the regime itself — not by foreign enemies.
The deficit is horrendous, but our existing wealth is staggering. It would require a civil war to destroy that wealth — an occasional mismanagement, however gross, by a nice-looking demagogue is not going to be enough to really cripple the country...
Re: (Score:3)
The deficit is horrendous, but our existing wealth is staggering. It would require a civil war to destroy that wealth — an occasional mismanagement, however gross, by a nice-looking demagogue is not going to be enough to really cripple the country...
WHAT? What wealth are you referring to? The imaginary numbers someone plugs into a spread sheet to say we are worth a gigabazillion dollars? Wealth is in infrastructure, manufacturing capacity, ingenuity, and other "goods" like natural resources and agriculture. With the exception of farming, the US is at an all time low for every other item on that list.
Some of those scarcities "could" be artificial. Most however are not, and many like manufacturing would take decades (in addition to massive natural r
Re: (Score:3)
Maybe not millions of dead, but the whole "drone U.S. citizens" thing is at least a couple.
Re:Sigh. (Score:4)
Others have already pointed it out, but I'll ask you to study history. No tyrant caused mass destruction immediately. That said, the USA has a pretty hefty death toll on it's hands. Between Iraq and Afghanistan it's nearly 2 million. Oh, I realize that we had labelled 10% of those killed to be "terrorists" so we obviously are justified. Those numbers are what we know our military did, and not what the CIA funded in Libya, Syria, Egypt, Tunisia, etc.. And I won't even get into the corporate death squads that massacred about a million in Central and Southern America.
To your second point, you really have no idea what the Economy is right? You do realize that it's fact that at least 1/3rd of all Americans relies on some type of Government supplement right? No matter how the numbers are moved around, there are places in the US where you simply can not work because there is no work. If you are lucky enough to get a job in Detroit for example, you won't be making much over minimum wage. (I can speak of Detroit since I lived there for over 4 decades), and other large areas of the US have similar issues.
Surveillance sucks, but we are far from Stalin, Mao, and Hitler... Very, very far.
Delusional statement, sorry. We are not that far at all. The infrastructure is now in place to get bigger body counts than those guys ever dreamed of, and it won't take much to make that happen.
Re:Sigh. (Score:5, Insightful)
It's not just 9/11, the fear of foreigners and the entire "it's us vs the world" attitude has become so ingrained into the American psyche that it'll take several generations to de-program them. Even now those Americans who are raising questions are only protesting against spying on American citizens, as if American citizens are more special than the rest of us humans.
As long as the American people, and not just the government, continue their xenophobia they will just keep shooting themselves in the foot. None of us in the rest of the world want to have anything against USA, but the Americans keep doing everything they possible can to make the world hate their guts.
Re:Sigh. (Score:4, Insightful)
Supportive of what exactly?
Being from the US you probably don't see the xenophobia for what it is. I moved to the US in the late 70's and the common response to anything not American was that's communist. Now it's probably more along the lines of that's socialist, but the vibe is the same. I see it as fueled partly by fear (of the unknown) and ignorance with a dash of idiotic national pride.
Consider taking a stand against that sort of stupidity and acknowledging your detractors might have a point. It isn't a sign of weakness to admit fault.
Re:Sigh. (Score:4, Informative)
"Being from the US you probably don't see the xenophobia for what it is. I moved to the US in the late 70's and the common response to anything not American was that's communist."
What part of the U.S.?
I've met may people who immigrated to New York City and certain other large metropolitan areas, and their common reaction is "All of the U.S. is like this."
Methinks thou does protest too much.
Supportive of what? (Score:5, Insightful)
How about being supportive instead of antagonistic?
Be honest with yourself: have you spent more time watching television or being politically active?
This is also a criticism I aim at myself, but the first step is to be honest about the situation. Americans are politically lazy, and we have the government we deserve. I don't think there has been a massive nationwide protest here since the 70s, with the possible exception of the anti-war protests before the invasion of Iraq.
The people who run the show aren't going to give it up because we're complaining about them on the internet. It's not difficult to convince yourself to hang on to millions of dollars and unchecked power when there is no real penalty from the populace.
Sir, there are two passions which have a powerful influence in the affairs of men. These are ambition and avarice -- the love of power and the love of money. Separately, each of these has great force in prompting men to action; but, when united in view of the same object, they have, in many minds, the most violent effects. Place before the eyes of such men a post of honor, that shall, at the same time, be a place of profit, and they will move heaven and earth to obtain it. The vast number of such places it is that renders the British government so tempestuous. The struggles for [profit] are the true source of all those factions which are perpetually dividing the nation, distracting its councils, hurrying it sometimes into fruitless and mischievous wars, and often compelling a submission to dishonorable terms of peace.
And of what kind are the men that will strive for this profitable preeminence, through all the bustle of cabal, the heat of contention, the infinite mutual abuse of parties, tearing to pieces the best of characters? It will not be the wise and moderate, the lovers of peace and good order, the men fittest for the trust. It will be the bold and the violent, the men of strong passions and indefatigable activity in their selfish pursuits. These will thrust themselves into your government and be your rulers. And these, too, will be mistaken in the expected happiness of their situation, for their vanquished competitors, of the same spirit, and from the same motives, will perpetually be endeavoring to distress their administration, thwart their measures, and render them odious to the people.
-- Benjamin Franklin, 1787
Re: (Score:3)
We are getting to a tipping point in the privacy vs security discussion. Insecurity is winning.
Comment removed (Score:5, Insightful)
Re:Sigh. (Score:4, Interesting)
It won't matter friend as the PTB has learned they have another "mother may I" magic word that works even better than terrorist, and that is pedo. If you think the whole "peed on a bush and became a sex offender" bit is bad you should look at the CP laws and how vaguely they have been written. According to a friend that works in the state crime lab you could draw a stick figure and stick a label under it saying "nekkid 10 year old" and be looking at several years in prison and otherwise sane people will happily let the feds have ANY power they ask for just by invoking the "for the children" meme, hell we've seen otherwise rational people on this very site willing to ignore any and all violations of privacy if it was "to stop teh pedos".
Exactly... My tinfoil hat says that this would be really useful for dealing with people like Snowden. Can't find a woman that will claim he raped her? No problem, just use his credentials to post child porn somewhere. Congrats! You now have a blank check to do anything you want, and remove all public support for them in the process.
But will they be real crowds cheering? (Score:3)
Or just a corporate media powered applause machine with no real people actually agreeing.
Re:Sigh. (Score:4, Insightful)
Move your services. (Score:4, Informative)
I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.
Re: Move your services. (Score:4, Informative)
compelled speech and/or perjury? (Score:5, Insightful)
Can the government force me to make a public statement, attesting that it's true?
Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.
Re: (Score:2)
Can the government force me to make a public statement, attesting that it's true?
Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.
Bull. It's no different than the government forging your signature. They aren't compelling speech, they are forging a document.
Re: (Score:3, Insightful)
I would agree in principle. Though if the government is able to obtain said keys from someone other than yourself, they weren't really "private", were they?
Time to send out the papers... (Score:4, Interesting)
... of which The Declaration of Independence, The US constitution and Bill or Rights are.
Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.
And that is all the response any Founder supporting company need supply any spying government agency.
Its time to show who is a real US Citizen.
Re:Time to send out the papers... (Score:5, Insightful)
Just start emailing copies of those documents to people on a regular basis and see how long before the government calls you a terrorist and arrests you for inciting revolt.
Re:Time to send out the papers... (Score:5, Insightful)
Considering that the Tea Party hasn't been declared as such and that there has yet to be even one sedition trial for those numb nuts in congress that signed that fealty pledge to Grover Norquist, I think that it's rather unlikely that they'll charge you for sending people those documents.
Re: (Score:3)
Not in so many words. But they have been targeted by the IRS and prohibited from attending public events [nationalreview.com] because they don't agree with this administration.
Re:Time to send out the papers... (Score:5, Informative)
While true, it leaves out the fun fact that this has been happening to many, many other organizations. See: http://www.npr.org/blogs/itsallpolitics/2013/06/25/195599362/Democrats-Want-Answers-On-Progressives-Targeted-By-IRS [npr.org]
So no, the IRS wasn't targeting those groups because they don't agree with the administration. It targeted those groups because claiming 501c(4) status while advertising politically charged terms is a red flag. Finally, the link you're including has nothing to do with the IRS, with participating in public discourse or even with political discrimination. These speeches are PR events. As such, they are fairly tightly controlled. And quite frankly, I'm rolling my eyes at the comment that "we just wanted to watch the speech". I'd like to hear this story from some non-GOP-propaganda outlet before I even look further into it.
Re: (Score:3)
No, they were not. At least not according to the IRS IG: http://thehill.com/blogs/on-the-money/domestic-taxes/308131-ig-liberal-groups-not-targeted-like-tea-party [thehill.com]
The IRS scrutinizes many groups, some of which happen to be liberal-leaning AND the IRS singled out 100% of Tea-party affiliated groups. Draw a Venn diagram if you still have trouble with the logical consistency of these two statements.
Re: (Score:3)
What do a bunch of anarcho-capitalist lapdogs and religious nutjobs have to do with protecting the Constitution and defending Liberty?
In your view, who does have anything to do with defending the Constitution and Liberty?
Re: (Score:2)
Re:Time to send out the papers... (Score:4, Insightful)
In my high school American History class, we mostly learned how white people oppressed some people or other people at various times,
Please explain to me how that is incorrect or even not one of the top 5 most important characteristics of the development of the nation.
Re: (Score:3)
It doesn't take into account that the US ending slavery was nearly unprecedented world-wide.
Er... if you compare US to other countries with similar historical background and level of economic development, then it was actually rather lagging behind. Go here [wikipedia.org] and find the entry for US, then scroll down and see who abolished it after that date (it's easier, because that list is much shorter than the one before it). Basically, by the time US did it, Europe has already had it abolished everywhere except for Ottoman Empire, and in most of its colonies. Most other states that were formed from European col
Re:Time to send out the papers... (Score:5, Informative)
How about an Article V Convention [wikipedia.org] first? AKA, a broad slate of amendments that would create a new Constitution. It would literally be a New Republic. Larry Sabato from my alma mater wrote a book about this. I don't agree with very many of his proposals though. That's the problem with such a convention or a revolution. You never know what you're going to get. So. I think this has to fester a bit more. Let's try the Article V convention first though, before we reach for the musket. It's actually a fairly extreme parliamentary maneuver, and allegedly Congress has acted under the threat of article V before.
the war is over (Score:3, Insightful)
and stupid has won.
Re:the war is over (Score:5, Insightful)
You can not blame it on stupid, when people are intentionally kept ignorant. For a minimum of 10 years, you are subjected to a program that creates servitude and removes people's ability to think. When people start to wake up, it's a rather alarming process. Not just because of the cognitive dissonance, but because there are numerous sources of fiction to frighten them back into a stupor.
If you pick 5 people and start trying to teach them to think, you will be lucky to have made progress within 6 months. That however should be the goal of anyone that can see clearly. As people learn to think and can see for themselves it is imperative for you to ask them to do the same thing (go get 5 students).
An enlightened society is something the people in power fear. They hated Socrates because he advocated an intellectual society, and countless others that came after him calling for the same thing. If you want to rankle the hairs of the established, start teaching people to think. Ad hominem and mockery are what they expect and adore.
Re: (Score:3)
Re:the war is over (Score:4, Insightful)
Yeah, because clearly McCain and Romney would have been less quick to take our rights away from us.
Ultimately, as long as there are voters that support this sort of bullshit it's going to continue. Obama was less likely to engage in this than any of the GOP options were.
Re:the war is over (Score:4, Insightful)
Obama was less likely to engage in this than any of the GOP options were.
The difference is, when Republicans do something like this, the media print stories about how it's bad and should be stopped and Democrats would never do such a thing. When Obama does something like this, the media print stories about how wonderful he is and nothing he does could ever be bad.
Re: (Score:3)
wow. we keep going more and more insane. (Score:2)
Re:wow. we keep going more and more insane. (Score:5, Insightful)
No doubt this is because terrorists/spies have changed tactics
Or simply because the Feds can get away with it. KGB wannabees are like any other power hungry bastards - give them an inch and they'll take a mile. They want more because they want more. There may be some excuses they use to justify it, but the real reason is simply that they want more.
Re:wow. we keep going more and more insane. (Score:4, Insightful)
Re:wow. we keep going more and more insane. (Score:4, Insightful)
I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity.
No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.
Terrorist haven't changed tactics. Look at the Boston Bombers, the NSA had been spying on us for years at that point.
Did they know about it? NO.
Did they stop it? NO.
So them spying on everyone is a waste of time if they can't catch any terrorist with it. In fact, they are being the terrorist against their own population by this and other actions they have been doing.
Standing up to the Feds (Score:2)
I wonder how that really works out, in the long-run. What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?
Re: (Score:2)
More to the point how many "over my dead body" statements last longer than a night in lockup, let alone awaiting a trial.
Re: (Score:2)
I absolutely would, especially as a start-up. Buckle when you're small and you'll lose what customers you have and go out of business.
Re:Standing up to the Feds (Score:4, Insightful)
Re:Standing up to the Feds (Score:4, Insightful)
Assuming you knew. In practice the worst of this is done under gag order so that nobody knows which services are engaged in this sort of illegal spying. And thanks to the numb nuts that W had installed on Supreme Court, it's even harder to get the constitution enforced than it used to be. Damned activist judges.
Re: (Score:2)
If you're looking to get into that fight, go elsewhere. I've had enough of bickering with partisan trolls today. It's always a crapshoot as to which major party's political trolls will show up on a given day.
Re:Standing up to the Feds (Score:5, Insightful)
What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?
If you have little legal know-how and are confronted with an important legal issue that could have serious ramifications if you screw it up, you consult with a lawyer.
If you are smart, this is always the case, be you a startup, a large company or an individual.
A small company probably won't have a lawyer on payroll, but certainly, they can still pick up the phone and call one. It'll cost some money, yes, but even small businesses need lawyers for lots of things, so the concept should not be foreign to them.
Now, if you're saying that "legal know-how" means knowing when an issue is important and could have serious ramifications, well, that doesn't require much skill. If you receive a demand from the government of any sort and it's not something you're familiar with, a quick consultation with a lawyer would be prudent. Especially if it just plain sounds wrong.
Now, your lawyer may very well advise you to just give them what they want, but still, asking him was the right thing to do.
A bigger problem is the gag orders that tend to come with these orders, where you can't even tell somebody that you received them. You can generally still consult with a lawyer, but even so, they really do fly in the face of the rights we used to think we have.
Re:Standing up to the Feds (Score:4, Insightful)
Minor correction, we STILL have those rights, they're just being trampled.
Re:Standing up to the Feds (Score:4, Informative)
yes, it is. It is a right being violated. The violator is thus guilty of wrongdoing. Don't ever let them convince you that the right is non-existent.
The other case would be that it's not a right anymore and the government gets to say not a right so we're doing no wrong.
In other words, by violating a right (such as by denying it's existence), a government de-legitimizes itself.
Re: (Score:2)
What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?
Sort of depends on your ethics and principles, doesn't it? If it's important to you to defend the constitution and your rights, then yeah I hope that you would resist those demands. It's about principles, if the reason you're doing business in the US is to make money, then you probably don't care. If the reason you're doing business in the US is because you like the US and what the founders stand for, then hopefully you'll grow a spine and stand up for your principles, with the knowledge that they might
Hmmm... (Score:5, Funny)
They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.
Re: (Score:3)
I run my passwords through a full 12,000 rounds of ROT-13.
Re:Hmmm... (Score:4, Funny)
The ROT-13 jokes are really getting old, and anyone who cares about their security has already upgraded to ROT-26.
Re: (Score:2)
ROT-26: all the protection you've come to expect from ROT-13, but with only half the rounds!
Re: (Score:2)
That character would be Fouad.
Re: (Score:2)
help me NSA-CB, you are my only hope
Black Hat hears, and thinks... (Score:3)
How can I get a piece of this action - it's probably not impossible to impersonate the Fed to get companies to cough up their entire user credential stores... just a few large-bag hit and runs could net millions in CC#.
Re:Black Hat hears, and thinks... (Score:5, Funny)
just a few large-bag hit and runs could net millions in CC#.
Credit cards? You think small. How about getting access to the Federal Reserve? Considering all the money they give away to bail out financial institutions that should be in receivership, you could probably take a few billion and it would be dismissed as a rounding error.
Re:Black Hat hears, and thinks... (Score:5, Interesting)
I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.
You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?
I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.
Re: (Score:2)
There are so many things a terror group could do if they really wanted to. They called out the Department of Homeland Security yesterday because someone left a Chinese takeout box on a Metrobus, for fuck's sake. It would be very, very easy to create a DoS condition among the anti-"terrorism" agencies...
Re: (Score:3)
I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.
You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?
I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.
well, exactly that is the real problem with non-transparent society. checking if they're real is illegal, asking for advice is illegal.
Wow (Score:2)
how to make bureaucrats value privacy (Score:5, Insightful)
Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.
Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.
Re: (Score:2)
Is this different from perlustrating mail? (Score:2)
Re:Is this different from perlustrating mail? (Score:4, Informative)
NB: the second is why sysadmins don't log in as root and don't request user passwords. Logging in as their ordinary user and then su'ing to root leaves a record in the audit log of which sysadmin was doing what as root. And if we need to access your account as you, su'ing to root and then to your account leaves a record of which sysadmin was responsible for the access.
Companies shouldn't have this anyway (Score:5, Interesting)
2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.
That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".
Re: (Score:2)
Re: (Score:2)
Actually, no. That isn't true. They never need to know the actual password.
Re: (Score:3, Insightful)
But even disregarding NSA, the link between the authentication system and the UI is usually the weakest. That's where we see attacks like key-loggers, phising scams, attack on secure memory, etc. Again, it proves his p
Re:Companies shouldn't have this anyway (Score:4, Informative)
At some point, you have to know the user's password.
If you ever need to know what the user's password is, then you ask them for it. You run into that when you implement a different or stronger hashing algorithm. You can't just re-hash everyone's password, because it's already hashed and you don't know what the original was. So you store the version of the hashing algorithm for their current password, and any time they enter their password (on login or other places depending on the application) then after you authenticate them you compare their hash version with the current version, and if it's not the current version then you take their plain-text password that they just entered, hash it with the new algorithm, and update the hash and password version in the database. You can't update everyone's passwords unless the enter them. If you need their password, then you ask them for it.
Re: (Score:3)
It is possible, just not commonly done. SSH keys are an example. The server never needs to know my secret key in order to authenticate me.
Re:Companies shouldn't have this anyway (Score:4, Interesting)
Change your site to use a JS-based multiple-hash-challenge algorithm so that the password itself is never sent over the network at all.
See what Google does next, it seems that over the last few years they've been trying to make things harder for the NSA. In 2011 they added forward-secret SSL support.
I hope they ask SpiderOak for mine (Score:2)
I'd just like to be there to see the blank stare.
Re: (Score:2)
simple (Score:2)
If they really need to have access as a specific user we have an impersonation feature (for tech support) that allows one user to perform actions in the system with the rights of another, except that the logs still tell us who is actually doing stuff. Seems like a much better way to deal with this kind of request.
Re: (Score:2)
Unless you're impersonating user A to get users B, C and D to do something stupid, or share something important.
And of course you do not want to leave anything in audit logs to prove that you did, because the only legal protection you have impersonating user A is that nobody knows how your agency is interpreting the law. Until they do, you act in good faith that what you are doing is legal...
Or some bullshit reason like that.... I do not agree, but I see how it tends to be explained away these days *sigh*
How this relates to Snowden (Score:5, Insightful)
I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.
Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.
Someone is going to have to put a tool in orbit (Score:2)
Some kind of orbital strongbox that will act as the world's encryption key fob. Something that dodges around in an irregular orbit and explodes if anyone gets close to it.
We're letting Gov do this (Score:2)
Until Americans man up and accept the reality that Big Brother can't guarantee 100% security, they're going to keep doing this. I'm disheartened by how relatively low disapproval for these practices is. I think I heard only 56% against. In the US, I would expect those numbers to be astronomical.
Surprising there isnt more sub channel news (Score:5, Interesting)
About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.
Re:Name and Shame (Score:5, Insightful)
Re:Name and Shame (Score:4, Interesting)
TFA says the companies resisted - the shame here belongs on the US Government
More interesting would be to know the names of the companies who didn't resist and thus didn't make any noise at all . . .
Re:Not surprised (Score:5, Informative)
The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.
What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.
Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.
Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.
Re: (Score:2)
You don't seem to understand what is a hash or a salt.
Re: (Score:2)
Re: (Score:2)
change your password to "aeb30d1be48a8ed9" and store it in plaintext :D You could add some salt, I guess, but that'll leave them guessing either way....
Re: (Score:2)
All of my passwords look like that. Randomly generated with special characters. Typically 25 chars long.
They are in a password manager. I don't have to remember them at all. It's easier than having passwords I can remember but are easier to guess/can be found by rainbow table.
--
BMO
Re: (Score:2)
All of my passwords look like that. Randomly generated with special characters. Typically 25 chars long.
They are in a password manager. I don't have to remember them at all...
So basically, you've got all your securely designed passwords stored in one keyring that if one person get the code to, they could use to gain access to all of your passwords. Much more secure storage area than your brain I'm sure.
Re: (Score:2)
Come on, tell us who you are so we can not use you any more.
Don't you also want to know the names of the other companies that just quietly and politely handed over what was asked for?