Silk Road forums

Discussion => Security => Topic started by: tbart on July 25, 2013, 11:19 pm

Title: (USA) Feds demand passwords
Post by: tbart on July 25, 2013, 11:19 pm
http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/


Feds tell Web firms to turn over user account passwords

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.

by Declan McCullagh
July 25, 2013 11:26 AM PDT

 
(Credit: Photo illustration by James Martin/CNET)

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?"
--Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.

Apple, Yahoo, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands.

The FBI declined to comment.

Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. "The authority of the government is essentially limitless" under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.

Large Internet companies have resisted the government's requests by arguing that "you don't have the right to operate the account as a person," according to a person familiar with the issue. "I don't know what happens when the government goes to smaller providers and demands user passwords," the person said.

An attorney who represents Internet companies said he has not fielded government password requests, but "we've certainly had reset requests -- if you have the device in your possession, than a password reset is the easier way."

(Credit: Photo by Declan McCullagh)

Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user's original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.

Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase "National Security Agency" into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

The best practice among Silicon Valley companies is to adopt far slower hash algorithms -- designed to take a large fraction of a second to scramble a password -- that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.

One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.

But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.

As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. "I'd say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper," said Percival, who founded a company called Tarsnap Backup, which offers "online backups for the truly paranoid." Percival added that a government agency would likely use ASICs -- application-specific integrated circuits -- for password cracking because it's "the most cost-efficient -- at large scale -- approach."

While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the "cost of a hardware brute-force attack" against a hashed password as much as 4,000 times greater than bcrypt.

Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.

With the computers available today, "bcrypt won't pipeline very well in hardware," Mazières said, so it would "still be very expensive to do widespread cracking."

Even if "the NSA is asking for access to hashed bcrypt passwords," Mazières said, "that doesn't necessarily mean they are cracking them." Easier approaches, he said, include an order to extract them from the server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.

Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.

Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.
(Credit: Getty Images)

Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."

Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government -- for the government to crack passwords and use them unsupervised." If the password will be used to log in to the account, she said, that's "prospective surveillance," which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, "there's a concern that the provider is enabling unauthorized access to the user's account if they do that," Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.

"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.

Last updated at 12:47 p.m. PT




Title: Re: (USA) Feds demand passwords
Post by: ananas_xpress on July 26, 2013, 11:40 am
Welcome to planting evidence/stitching people up 2.0 >:( >:(

"Hey buddy are you still doing that thing you do with the cronic on the road  ;) ;)"
Yep, got new stock,"

Cue the raid the fucking raid.

Now that I would ever discuss anything like that but just means I have to assume my friends personal messages might not even be them now  :-\ :-\

Title: Re: (USA) Feds demand passwords
Post by: ShApEsHiFtInGsHaPeS on July 26, 2013, 12:04 pm
I'm not really surprised that this kind of stuff happens, it's just in the nature of secret service organisations to do so.
what i really don't understand is why so many people don't give a fuck about it.that's the scariest part.
Title: Re: (USA) Feds demand passwords
Post by: psychedelicmind on July 26, 2013, 12:11 pm
Sickening stuff, to say the least!!! :( Where/when is it all going to end?

If only there was a way to over throw the criminals in the US Government! This is when people power should really come to the fore. I am not from the US, but I feel strongly about all this bullshit that their Government inflict on their people. I really hope the sociopaths in power get taken out and that the people take back their freedom, that was promised in the Declaration of Independence!
Title: Re: (USA) Feds demand passwords
Post by: mcguire39 on July 26, 2013, 12:24 pm
I'd like to think this news is surprising but sadly it is not. I don't think we can trust any of the companies that say they have not given out this kind of information. If they did, the gov't would put a gag order on them as usual. So the only thing the company could say without repercussions is 'no we did not give out this type of information', or they could say 'no comment'  :-X, either of which would be suspicious. Communication methods must be selected carefully. Hopefully any users exchanging drop ship and other details unencrypted through regular commercial e-mails or social sites will take heed.

I wonder if SR has received this type of request.  ;D
Title: Re: (USA) Feds demand passwords
Post by: paxpax on July 26, 2013, 07:33 pm
I didn't read the whole thread, just wanted to comment on web firms submitting passwords. FYI - passwords on most websites are stored encrypted to begin with. The web site owners could only turn over encrypted data that the feds would then need to brute force. Keep a strong password and you are safe. This has been standard practice for some time.
Title: Re: (USA) Feds demand passwords
Post by: Mr. Fluffles Schrodinger on July 26, 2013, 08:02 pm
I'm not really surprised that this kind of stuff happens, it's just in the nature of secret service organisations to do so.
what i really don't understand is why so many people don't give a fuck about it.that's the scariest part.

No, no, no, the scariest people are the people who refuse to let themselves see the truth, or that there is a truth to see in the first place.  Those who live in a sugar sweet world of make-believe, regardless of the facts presented to the contrary.  Those people who are so afraid to live that death is just a permanent state for them.  Real life zombies....with big fucking smiles. Jesus, it's horrifying.

I can't fathom existing like that.  I may be nuts, and kill my very own brain cells on the daily, but I at least want to know who the players are and what the game is.

That way I know which drugs to purchase and for what purpose.... -.-
Title: Re: (USA) Feds demand passwords
Post by: TMan99 on July 26, 2013, 09:13 pm
I'm not really surprised that this kind of stuff happens, it's just in the nature of secret service organisations to do so.
what i really don't understand is why so many people don't give a fuck about it.that's the scariest part.
The goverment has molded brains into what they want. This has been done through both the media and school.

It has come to the point where everyone (schools, media, other goverment institutions) is saying we know what is best for you, don't question us. This not straight up ofcourse, but through psychology. And people just listen.

It is sickning and I don't see it stopping soon.

So when the goverment requests all kinds of info and spys on you, a fair amount of people think "Oh, they are just protecting me and they know what is best"
Title: Re: (USA) Feds demand passwords
Post by: joepinko on July 26, 2013, 09:23 pm
^^^

Gotta disagree with you about "school" molding brains. Good teachers still teach people to think independently. It is much easier to deceive an uneducated person.

Anyways, many American's care, however, they are so afraid of terrorism (and lets face it, it appears that Islamophobia is gripping a large portion of the US and Western European populace) that they are willing to trade privacy for safety. Scaring the shit out of the American population has worked very well for over a decade now (and it has been used in previous decades).

Why do you think that the House GOP was able to team up with "Moderate" Democrats (conservative lite) in order to defeat an amendment to curtail NSA date collection? The "Libertarians" and Progressive Democrats voted for the measure.

Hell, I forgot who it was, but one Republican House member said it would "bring us back to Sept. 10 2001" and Boehner went out of his way to vote No (the speaker of the house rarely votes)
Title: Re: (USA) Feds demand passwords
Post by: TMan99 on July 26, 2013, 09:41 pm
^^^

Gotta disagree with you about "school" molding brains. Good teachers still teach people to think independently. It is much easier to deceive an uneducated person.

Anyways, many American's care, however, they are so afraid of terrorism (and lets face it, it appears that Islamophobia is gripping a large portion of the US and Western European populace) that they are willing to trade privacy for safety. Scaring the shit out of the American population has worked very well for over a decade now (and it has been used in previous decades).

Why do you think that the House GOP was able to team up with "Moderate" Democrats (conservative lite) in order to defeat an amendment to curtail NSA date collection? The "Libertarians" and Progressive Democrats voted for the measure.

Hell, I forgot who it was, but one Republican House member said it would "bring us back to Sept. 10 2001" and Boehner went out of his way to vote No (the speaker of the house rarely votes)
American schools are a one size fits all institution. It is mainly focused on memorization, very little if any independent thinking is involved.
Title: Re: (USA) Feds demand passwords
Post by: Aoth14 on July 26, 2013, 09:59 pm
So Obama is going to ask DPR for my password?  Oh no! I bet the gubberment has never demanded personal information before, let alone anything worse!


Are you serious, please delete this thread.
Title: Re: (USA) Feds demand passwords
Post by: bluehorn on July 26, 2013, 10:14 pm
Id rather have a webcam feed from my bathroom than having someone get my passwords. Maybe it could be possible with a warrant but damn thats some serious invasion of privacy!

Anways, would anyone of you care to comment the safety of asking someone through facebook to "keep a letter with some great stuff for me for some days until i get there" ? And then asking for the adress?

Otherwise i would ask my friend to get a tormail acc and then ask him through there.

Help appreciated :-)
Title: Re: (USA) Feds demand passwords
Post by: joepinko on July 27, 2013, 02:06 am
^^^

Gotta disagree with you about "school" molding brains. Good teachers still teach people to think independently. It is much easier to deceive an uneducated person.

Anyways, many American's care, however, they are so afraid of terrorism (and lets face it, it appears that Islamophobia is gripping a large portion of the US and Western European populace) that they are willing to trade privacy for safety. Scaring the shit out of the American population has worked very well for over a decade now (and it has been used in previous decades).

Why do you think that the House GOP was able to team up with "Moderate" Democrats (conservative lite) in order to defeat an amendment to curtail NSA date collection? The "Libertarians" and Progressive Democrats voted for the measure.

Hell, I forgot who it was, but one Republican House member said it would "bring us back to Sept. 10 2001" and Boehner went out of his way to vote No (the speaker of the house rarely votes)
American schools are a one size fits all institution. It is mainly focused on memorization, very little if any independent thinking is involved.

Making blanket statements are we?

Without giving away too much information, I can assure you that educators are aware of this and go out of their way to work around this the best they can. Yes, standardized testing has increased focus on memorization, but that isn't really the fault of the student or the teachers. Grade schools focus on memorization because that is how children of that age learn. Just like you constantly repeat words to toddlers in order for them to learn.

Furthermore, the higher one moves up the academic ladder, the more they move away from memorization and into independent/critical thought. It is very difficult to graduate from college without critical thinking skills. Graduate Students absolutely have to have critical thinking skills.

To suggest that our educational system is a brainwashing factory is laughable and often spewed by Alex Jones style paranoia conservative  idiots (and frankly, if you believe what that ass is spewing then I have to question your sanity). Frankly, many of these people are the same ones who believe that the educational system has the power to turn children into homosexuals.

Again, a dumb person is easier to trick then a smart one. Most have experience with at least a few teachers that encourage them to question. But this is veering off and I will remove myself from this conversation.
Title: Re: (USA) Feds demand passwords
Post by: joepinko on July 27, 2013, 02:17 am
So Obama is going to ask DPR for my password?  Oh no! I bet the gubberment has never demanded personal information before, let alone anything worse!


Are you serious, please delete this thread.

Correct, they do this shit all the time and its not just the US government. Believe it or not, they requested personal information before the internet. This is likely not the first time a request has been made and we might be hearing about it now due to the fallout over PRISM.

Also, sometimes it is warranted. If someone is threatening to blow up a parade or to assassinate the President then yes of course the information should be turned over and likely will be. To assume this request is in relation to SR is pushing it.
Title: Re: (USA) Feds demand passwords
Post by: tbart on July 27, 2013, 02:27 am
this was the part, at the very end, that i found interesting:

"The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop."
Title: Re: (USA) Feds demand passwords
Post by: Light Are on July 27, 2013, 02:56 am
Thanks for the info.

  There is no Government "for the people, by the people" (more like "buy" the people;).