Feds tell Web firms to turn over user account passwords

by BTM
14 replies
  • OFF TOPIC
  • |
Feds tell Web firms to turn over user account passwords | Politics and Law - CNET News

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?"
--Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.

A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: "If we receive a request from law enforcement for a user's password, we deny such requests on the grounds that they would allow overly broad access to our users' private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law."

Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands.
The FBI declined to comment.
  • Profile picture of the author SashaLee
    Hi there,

    Another example of a government hard at work!

    All the best,

    Sasha
    {{ DiscussionBoard.errors[8326505].message }}
  • Profile picture of the author seasoned
    What good is the password? A password is good ONLY for ongoing on demand checks. It IS illegal in that it isn't limited, can help crack other accounts, etc... ALSO, many passwords set defaults, and tell what was done and/or when. A covert user password is then IMPOSSIBLE, so they will likely ask for a kind of special override password that might not even exist! The salt could help crack EVERY account in the enterprise, and may also affect security elsewhere in the enterprise. They may even have trouble giving it.

    Giving the algorithm may violate security PLANET WIDE for a given app, violate patents, etc.... And it is possible NOBODY in the company would even know how to get it!

    Just to give you an idea of how invasive this is..... There is a little company called RSA. They have a gadget that sends out a number that acts almost like a secondary salt that must be added to the password. To get details on it would endanger security of systems worldwide.

    They will likely end up requesting what they did for the TSA! Did YOU know that they now have special TSA locks? WHY are they SPECIAL? They have a master combo or key that the TSA can use to unlock them!!!!! TSA Theft Investigation: How to Protect Yourself - ABC News

    WHEN are people going to say enough is enough? NOW, they say ACCESS to specific info is NOT enough! That is ALL the law says they can have! They say ACCESS to a specific account is not enough! They say that feeds of ALL accounts is NOT ENOUGH! They say that even details of the program, etc, are not enough. They want EVERYTHING! Even things that may be proprietary to a totally non involved third party and may affect third parties WORLD WIDE!

    Steve
    {{ DiscussionBoard.errors[8326646].message }}
    • Profile picture of the author Kay King
      WHEN are people going to say enough is enough?
      I wonder the same thing. I've seen polls that show only about 30% of the population is highly upset over the NSA spying - and funding for it was just renewed for the NSA program by Congress in the past few days.

      I believe after 9/11 we were bombarded with the idea of a terrorist under every rock. "Report anything that doesn't seem right" people were told. "You never know what someone might be up to", and on and on.

      The indoctrination worked and now any intrusion into our privacy is excused with "protection from terrorism". In spite of all evidence to the contrary - we keep believing the mantra of "let us do this and we'll keep you safe".
      Signature

      Saving one dog will not change the world - but the world will change forever for that one dog.
      It takes nothing away from a human to be kind to an animal.
      {{ DiscussionBoard.errors[8327923].message }}
      • Profile picture of the author seasoned
        Originally Posted by Kay King View Post

        I wonder the same thing. I've seen polls that show only about 30% of the population is highly upset over the NSA spying - and funding for it was just renewed for the NSA program by Congress in the past few days.

        I believe after 9/11 we were bombarded with the idea of a terrorist under every rock. "Report anything that doesn't seem right" people were told. "You never know what someone might be up to", and on and on.

        The indoctrination worked and now any intrusion into our privacy is excused with "protection from terrorism". In spite of all evidence to the contrary - we keep believing the mantra of "let us do this and we'll keep you safe".
        I was practically SCREAMING at some at 9/11. All this talk, inspections, etc.... is WHAT THEY WANT!

        As it stands, the inspections have cost me hundreds of dollars, lowered access, etc.... We are now far closer to a totalitarian state. One person, that predicted CRAZY things recently that came true, and claims to have inside info, is claiming they are recording all CALLS! O'Reilly doubts that. HEY, some things that are true now I said years ago would take over a decade. I have heard of MULTI petabyte databases! With sampling and compression and removal of dups, recording all info doesn't sound so unlikely.

        Steve
        {{ DiscussionBoard.errors[8328765].message }}
      • Profile picture of the author ThomM
        Originally Posted by Kay King View Post

        I wonder the same thing. I've seen polls that show only about 30% of the population is highly upset over the NSA spying - and funding for it was just renewed for the NSA program by Congress in the past few days.

        I believe after 9/11 we were bombarded with the idea of a terrorist under every rock. "Report anything that doesn't seem right" people were told. "You never know what someone might be up to", and on and on.

        The indoctrination worked and now any intrusion into our privacy is excused with "protection from terrorism". In spite of all evidence to the contrary - we keep believing the mantra of "let us do this and we'll keep you safe".
        I think "We will do this and we'll keep us safe" is more accurate. I was just reading this article today, Forget The Drones: Massive Spy Blimps Set To Hover Over Northeastern U.S. : Personal Liberty Digest

        From the article.
        Pretty soon, a pair of massive high-tech Army blimps will be floating over the greater Washington, D.C., area to provide 24-hour, 360-degree surveillance. And as testing and advancement of the airship surveillance technology continues, the eyes in the sky could have the ability to keep an eye on folks spanning hundreds of acres, from North Carolina to Niagara Falls and beyond.
        Again from the article
        The blimps are capable of monitoring targets on land, water or in the air with a trove of powerful onboard surveillance equipment. In a press release, Raytheon said the JLENS surveillance radar can “simultaneously track hundreds of threats.”
        Raytheon touts the blimps as a way for militaries to have surveillance equipment out of high in the sky and out of danger while carrying “powerful radars that can look deep into enemy territory.”
        They tested the blimps in the Utah wilderness and will deploy them from the Aberdeen Proving Ground in Maryland.
        Kind of makes you wonder who they think the enemy is.
        Signature

        Life: Nature's way of keeping meat fresh
        Getting old ain't for sissy's
        As you are I was, as I am you will be
        You can't fix stupid, but you can always out smart it.

        {{ DiscussionBoard.errors[8328881].message }}
  • Profile picture of the author HeySal
    The bill that was supposed to curtail the NSA spying was just voted down. ONLY 3 votes FOR curtailing surveillance. People need to start holding recalls of anyone who voted FOR this Orwellian Bullsh**.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[8328567].message }}
  • Profile picture of the author yukon
    Banned
    Lol, like they need approval to gain access to a site/host.

    If they want in they'll get in.
    Signature
    Hi
    {{ DiscussionBoard.errors[8328773].message }}
    • Profile picture of the author seasoned
      Originally Posted by yukon View Post

      Lol, like they need approval to gain access to a site/host.

      If they want in they'll get in.
      Actually, that is FANTASY! It could be a variable seed multiple algorithm keyed and mangled encryption that would be EXTREMELY hard to figure out and the code code be obfuscated and in compiled code, so reverse engineering would be VERY difficult. So stop watching NCIS and wargamer with the supposed automated decryption or cracking everything within an hour.

      That said, if it were a generic ONE PASS single algorithm, or even multiple pass algorithm, that is one of the several established standards, that HASN'T been mangled or keyed, you COULD determine the type of encryption and it is rumored that the government has a method to gain backdoor access TO THOSE!!!!! It could STILL take a while though.

      Don't forget how hard it was for the allies to crack the, relatively, ******CHILDISHLY SIMPLE****** enigma cipher. HECK, ADOBE used a cheap variant in PDF and apparently someone just broke it. But that is so simple that a 3-4YO could understand it, SERIOUSLY!

      Steve
      {{ DiscussionBoard.errors[8329523].message }}
      • Profile picture of the author yukon
        Banned
        Originally Posted by seasoned View Post

        Actually, that is FANTASY! It could be a variable seed multiple algorithm keyed and mangled encryption that would be EXTREMELY hard to figure out and the code code be obfuscated and in compiled code, so reverse engineering would be VERY difficult. So stop watching NCIS and wargamer with the supposed automated decryption or cracking everything within an hour.

        That said, if it were a generic ONE PASS single algorithm, or even multiple pass algorithm, that is one of the several established standards, that HASN'T been mangled or keyed, you COULD determine the type of encryption and it is rumored that the government has a method to gain backdoor access TO THOSE!!!!! It could STILL take a while though.

        Don't forget how hard it was for the allies to crack the, relatively, ******CHILDISHLY SIMPLE****** enigma cipher. HECK, ADOBE used a cheap variant in PDF and apparently someone just broke it. But that is so simple that a 3-4YO could understand it, SERIOUSLY!

        Steve
        Tell that to Snowden.
        Signature
        Hi
        {{ DiscussionBoard.errors[8329535].message }}
        • Profile picture of the author seasoned
          Originally Posted by yukon View Post

          Tell that to Snowden.
          Did SNOWDEN get all passwords? *******NOPE********!
          Did HE crack systems? *******NOPE********!
          Did he even break into other systems? *******NOPE********!

          WHY do people think such ill of him?

          1. He broke the NDA!
          2. He is giving some of that info to enemies.

          HECK, some are saying he is an incompetent person that isn't very bright, and had no reason to be considered for the job.

          So WHAT is your point?

          Even on WARGAMERS, if you watched carefully, the "cracker" found the place the secretary stored her password. He mt a person that gave him ideas of backdoors, and lucked out. No magic.

          By contrast, the terminator method did hings at a speed simply not possible, and used brute force that many corporate systems would not allow.

          Even Kevin Mitnick, openly admitted that he tricked people and relied on stupid password choices.

          Steve
          {{ DiscussionBoard.errors[8329653].message }}
          • Profile picture of the author PeterLarson
            By telling us this you have done essentially the same thing Edward Snowden did when he told us what the NSA is doing. He did not give away any specific things but generally had the same heart as you have in wanting to expose something that is wrong and shows a government that is out of control.

            Congratulations for sharing this.
            {{ DiscussionBoard.errors[8355540].message }}
  • Profile picture of the author Kingfish85
    Change your password on a weekly basis or even more frequently. Problem solved. Also a thing to note, having root access to the mail server doesn't require a user password to view messages.
    {{ DiscussionBoard.errors[8328794].message }}
  • Profile picture of the author x11joex11
    I agree that this is ridiculous and with the posters comments... however...don't mean to be the whistle blower but... doesn't this forum not allow political chat in this section? Or maybe this particular chat is okay since it's related to online? I hope this is allowed because I would love to post some things related to this I've found as well.

    Signature

    -= Currently looking for craigslist & facebook experts =-

    {{ DiscussionBoard.errors[8329044].message }}
    • Profile picture of the author HeySal
      Originally Posted by x11joex11 View Post

      I agree that this is ridiculous and with the posters comments... however...don't mean to be the whistle blower but... doesn't this forum not allow political chat in this section? Or maybe this particular chat is okay since it's related to online? I hope this is allowed because I would love to post some things related to this I've found as well.


      This isn't a PARTISAN discussion. And - if there are people in here that have been posting for 10 years, it might serve someone with only a hundred or so to figure maybe we know what is allowed and where to draw the lines on it. . The mods stop us if we go too far. No one is blaming one group or the other - nobody is calling each other in here names. This is a very important issue for us and we need to talk about it. If you don't like what we talk about - go back to the main forum. If you do have relevant comments, make them here - just keep it NON partisan (no finger pointing at any particular rep) and don't call another poster names if you don't like their take on it. When it gets partisan, you'll see threads deleted, locked, and people given a time out (temporary ban - or permanent if the offense is bad enough). Gov doesn't always mean "political".
      Signature

      Sal
      When the Roads and Paths end, learn to guide yourself through the wilderness
      Beyond the Path

      {{ DiscussionBoard.errors[8356371].message }}

Trending Topics