General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsFeds tell Web firms to turn over user account passwords
The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?"
--Jennifer Granick, Stanford University
http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/
msongs
(67,438 posts)cthulu2016
(10,960 posts)Safetykitten
(5,162 posts)cthulu2016
(10,960 posts)Seriously.
What do you want? Cliffs notes?
The Straight Story
(48,121 posts)know one and either know the rest or have a good start on them.
And that can come in quite handy for bank sites, web mail, social media, etc (and they can hack the passwords, they are stored in a hash and will have to break them anyway - anonymous dumps passwords like this - and even if a person knows they were compromised on one system most don't change them everything).
FarCenter
(19,429 posts)Ed Suspicious
(8,879 posts)stupid and deserve ill fate? Just wow.
FarCenter
(19,429 posts)Security requires knowledge and the diligence to apply it effectively.
caseymoz
(5,763 posts)Everything that makes a password strong is what makes it difficult or impossible to remember, and if you're over 50-60 years old, and you have accounts on eighty different sites, you're going to have to come up with a system or have weak passwords and/or nine or ten passwords for the whole group.
Maybe computer geeks find memorizing random symbols an easy thing, if so, that's only because they spend what is or becomes their "work hours" at it. People who have other professions are using computer devices because those purportedly make things easier. If those professional people are supposed to memorize page after page of random keyboard symbols, they wouldn't be using computers very much and a lot of computer geeks would be out of their jobs.
Maybe you trained yourself for those memory feats in high school or college, but the rest of us don't have time doing anything like it. You'd better hope you never get a concussion or have electro-convulsive therapy, because that ability is very actually fragile.
My opinion is if passwords are that much of a hassle, computer geeks better stop being arrogant SOB's about it and start trying to make it easier.
I have a system for managing passwords. It's not conventional, but they're all strong, and I don't have them memorized.
And I'll just add: websites and companies should practice due diligence about this, too. For one thing, I don't know why anybody should get away with brute force password cracking. If websites would limit the number of times per minute log ins can be attempted to something closer to the speed a human being could type it, that would neutralize brute force attacks. I know it presents its own attack issue (you can close a user out of an account by sending attempts), so it's not that simple, but I'm sure there are solutions. They should be thinking along those lines.
Paulie
(8,462 posts)Flies, honey, vinegar and all that.
liberal_at_heart
(12,081 posts)problems? They deserve it huh? Geez.
JackRiddler
(24,979 posts)Fantastic Anarchist
(7,309 posts)Nor women who remain with abusive guys deserve to be beaten, or people who are black deserve to be shot.
What an incredibly stupid thing to say. Does your apologia know no bounds?
Bradical79
(4,490 posts)If someone wants to hack you, all they need to do is get the password for you email account(s). With the reset/remember password features of web services, they can just change the rest of your passwords.
Posteritatis
(18,807 posts)Modern encryption, competently applied, is beyond just about anything on this planet to crack in anything resembling a reasonable timeframe. It's not like in the movies where someone can just flail at a keyboard for a few seconds and suddenly "I'm in."
Aerows
(39,961 posts)Considering that graphics cards can run parallel processes to the tune of several teraflops. CPUs, no, but GPUs? They are extremely good at encryption cracking due to the fact that they inherently run simultaneous processes. Stick 2 top of the line AMD or Geforce cards in a box, and you can better believe they can churn out some serious crunching. Not even out of the reach of the every day user, either. Heck, I have 2 overclocked Geforce 460's in my own box and a 4.5 ghz oc'd processor, and it's pretty much outdated compared to other rigs people run.
ConcernedCanuk
(13,509 posts).
.
.
just cuz we don't like the powers that be - don't underestimate them.
They got trillions of our tax dollars to play with . . .
and they are
CC
Posteritatis
(18,807 posts)Look up some conjectured brute-force times against 128 or 256-bit encryption. Bazillion-dollar budget and reputation as living embodiment of the Matrix notwithstanding, physics is physics.
JoeyT
(6,785 posts)or you're just sending random gibberish.
All it requires is one end be compromised, and with secret courts issuing secret blanket warrants that no one is allowed to publicly acknowledge having gotten, it isn't hard to compromise one end.
chimpymustgo
(12,774 posts)-edit-
A Microsoft spokesperson would not say whether the company has received such requests from the government.
-edit-
Google also declined to disclose whether it had received requests for those types of data.
-edit-
A Yahoo spokeswoman would not say whether the company had received such requests.
-edit-
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.
-edit-
The FBI declined to comment.
-edit-
dixiegrrrrl
(60,010 posts)are part of a law that says web firms cannot admit to being ordered to give up passwords.
I remember reading that in the original Patriot act, re: libraries, it was not legal to tell the victim the Feds were snooping.
Purveyor
(29,876 posts)are in the White House so why worry. All is good and my tomatoes are ripening.
avaistheone1
(14,626 posts)Not even Nixon!
whatchamacallit
(15,558 posts)Or some such rancid apologist mockery. DU teaches no terrorist can fuck you like your own authoritarian countrymen.
ohheckyeah
(9,314 posts)Ed Suspicious
(8,879 posts)email providers, or social networks. These companies should make access impossible without a unique, momentary key that is held only by the account holder on a device. Something that could put some sort of roadblock in front of these spooks.
dickthegrouch
(3,183 posts)48 billion passwords for the feds to keep up with - hahahahahahaha - Good Luck!
Fumesucker
(45,851 posts)I know people who haven't changed passwords in a decade.
bvar22
(39,909 posts)They would need a massive complex with rows of SuperComputers and a massive Security Complex in Utah to do something like THAT!
Never Happen LOL.
GiaGiovanni
(1,247 posts)bigwillq
(72,790 posts)arely staircase
(12,482 posts)they don't have to turn anything over without a court warrant.
jtuck004
(15,882 posts)arely staircase
(12,482 posts)jtuck004
(15,882 posts)secrecy, how would anyone know?
ConcernedCanuk
(13,509 posts).
.
.
Took me a year, and over $5,000 to beat criminal charges regarding a firearm that was a result of an illegal search and seizure of said firearm.
Beat the charges, but still have not recovered the firearm yet.
And this be Canada?
Get's better - It was a USAmerican living illegally in Canada who conspired with our Provincial Police to create the charges.
Canada ain't what it's cracked up to be, not by a long shot.
(sigh)
CC
Pholus
(4,062 posts)How many people still can't describe what they are going through?
Fuddnik
(8,846 posts)KoKo
(84,711 posts)but talks about efforts over a long timeline...from my read of it.
More of a Time Line of Requests and speculation and info over who complied...who won't answer and who is suspected of doing it.
But, an interesting read although it's kind of jumbled.
kentauros
(29,414 posts)Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
. . .
President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Dark Helmet, Colonel Sandurz: {looks at each other}
bemildred
(90,061 posts)Fantastic Anarchist
(7,309 posts)What the fuck?
Mojorabbit
(16,020 posts)How easy it would be for them to set someone up if they can get access to an account and post as the person who owns the account.
Fantastic Anarchist
(7,309 posts)Yet the apologist will have no problem with it.
zeemike
(18,998 posts)And you gave it to a third party so you don't own it...and besides it keeps us safe.
Do you want the terrorist to come over here and bomb us?
I think your hair is on fire, and I see some clutching their perls...
Jackpine Radical
(45,274 posts)arcane1
(38,613 posts)Thanks for posting!
Iggo
(47,564 posts)Federosky
(37 posts)And no, don't tell me that the MSM doesn't care, because the Washington Post broke the PRISM news and the USA Today broke the 2005 news that Bush was illegally wiretapping people.
Plus CNET's sources are anonymous.
tuvor
(15,663 posts)Not because they might have been the first to report something.
struggle4progress
(118,332 posts)tuvor
(15,663 posts)Mojorabbit
(16,020 posts)struggle4progress
(118,332 posts)NSA admits listening to U.S. phone calls without warrants
http://www.democraticunderground.com/10023024565
Nadler denied Declan's version of events, which was based on a thoroughly dishonest partial reading of a hearing transcript:
Jerrold Nadler Does Not Think the NSA Can Listen to U.S. Phone Calls
http://www.democraticunderground.com/10023027901
The website's parent company retracted the story:
Congressman denies report claiming NSA can listen to calls without warrants
http://www.democraticunderground.com/1014510665
Mojorabbit
(16,020 posts)I read the transcript myself and it was a weirdly worded walkback. I know his politics are different from mine but I am looking for out and out lies. Thanks!
struggle4progress
(118,332 posts)Mojorabbit
(16,020 posts)Pholus
(4,062 posts)I can't believe we were being misled...
pam4water
(2,916 posts)Ops I mean arrest them without any public knowledge. Scary. Who is president again... Nixon?
zipplewrath
(16,646 posts)Obama's not a dictator. Don't people understand he doesn't have a magic wand and force congress to do anything. There are three branches of government and the GOP has decided to obstruct everything.
At least I read that this is what we're supposed to say when bad things happen in the government.
geek tragedy
(68,868 posts)Only with a warrant or subpoena, and then only after all appeals have been exhausted.
MannyGoldstein
(34,589 posts)They store hashes, which can't be used themselves to gain access, and can't easily turned back into a password.
Weird.
randome
(34,845 posts)"I've certainly seen them ask for passwords" and "legal requests". Wow. How scary that law enforcement would resort to...gasp!...legal requests to acquire passwords!
It's all in the wording. This article -which I have no doubt will not see the light of day beyond CNET- is more red meat for those who are predisposed to see the worst in everything.
Believe what you want but my advice is to always look at evidence before getting outraged.
[hr][font color="blue"][center]I'm always right. When I'm wrong I admit it.
So then I'm right about being wrong.[/center][/font][hr]
The Straight Story
(48,121 posts)The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."
In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.
Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.
"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
-------------------
If you have a password and you can use that account that is ripe for abuse - and if you don't think there are people in government who have and do abuse things, well
randome
(34,845 posts)Of course it does. But this article shows no evidence it occurs. It mentions 'legal requests', which means 'warrant' but deliberately avoids using that word.
It's an outrage generator, nothing more than that.
Your example is one of different courts having different opinions on password-locked data. Has nothing to do with the deliberately provocative implication that the 'feds' are demanding passwords on a whim.
If there is abuse, show us the evidence.
[hr][font color="blue"][center]I'm always right. When I'm wrong I admit it.
So then I'm right about being wrong.[/center][/font][hr]
Ilsa
(61,697 posts)stop emailing as much and instead, use snail mail.
Purveyor
(29,876 posts)WASHINGTON Leslie James Pickering noticed something odd in his mail last September: a handwritten card, apparently delivered by mistake, with instructions for postal workers to pay special attention to the letters and packages sent to his home.
Show all mail to supv supervisor for copying prior to going out on the street, read the card. It included Mr. Pickerings name, address and the type of mail that needed to be monitored. The word confidential was highlighted in green.
It was a bit of a shock to see it, said Mr. Pickering, who with his wife owns a small bookstore in Buffalo. More than a decade ago, he was a spokesman for the Earth Liberation Front, a radical environmental group labeled eco-terrorists by the Federal Bureau of Investigation. Postal officials subsequently confirmed they were indeed tracking Mr. Pickerings mail but told him nothing else.
As the world focuses on the high-tech spying of the National Security Agency, the misplaced card offers a rare glimpse inside the seemingly low-tech but prevalent snooping of the United States Postal Service.
more...
http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?_r=0
Ilsa
(61,697 posts)All mail on everyone being surveilled, though. I guess I figure that I'm not important enough.
struggle4progress
(118,332 posts)Incitatus
(5,317 posts)A state, Federal, which agency and who is in charge of it?
cascadiance
(19,537 posts)... to demand Facebook or other social media account passwords from prospective (or current employees) or students in the case of schools.
So in effect we've made it illegal for a government entity (a university) to demand from a person (a student) their facebook passwords. If corporations are people, then perhaps we could sue the government here if the NSA tries to obtain private passwords from "corporate persons" (these companies they're asking for passwords from). Of course we will still need new laws if we overturn Citizen's United to definitively define these passwords on these servers as OUR property and not the companies' property that are storing them. But for now that might be a line of defense.
DevonRex
(22,541 posts)story." - Declan McCullagh
http://en.m.wikipedia.org/wiki/Declan_McCullagh
"Declan McCullagh is an American journalist and columnist for CBSNews.com. He specializes in computer security and privacy issues. He is notable, among other things, for his early involvement with the media interpretation of U.S. presidential candidate Al Gore's statement that he "took the initiative in creating the Internet." McCullagh himself once claimed that "If it's true that Al Gore created the Internet, then I created the 'Al Gore created the Internet' story."[1]
In 2009, McCullagh turned his journalistic focus to the issue of climate change.[2]
McCullagh has written frequently in defense of libertarianism.[3] He began writing weekly columns for CBSnews.com on economic commentary entitled Other People's Money upon CBS Corporation's acquisition of CNET Networks. In August 2009, McCullagh renamed his column to Taking Liberties, which focuses on "individual rights and liberties, including both civil and economic liberties."[4] He also participated and won $100,000 on the California Lottery's Make Me a Millionaire game show in episode 2002.[5]
He attended Carnegie Mellon University and was student body president before being removed from office due to charges of committing domestic violence.[6][7][8] He pleaded guilty to harassment.[9]"
DevonRex
(22,541 posts)"Reporting on possibly "suppressed" EPA document, CBS suppressed actual climate science
CBSNews.com uncritically reported an internal EPA document's false claim that "global temperatures have declined for 11 years."
In a June 26 CBSNews.com article reporting that the Environmental Protection Agency "may have suppressed" an internal report on climate change, senior correspondent Declan McCullagh uncritically reported the document's false claim that, in the article's words, "global temperatures have declined for 11 years." McCullagh identified that claim as one of "a number of recent developments [one of the document's authors, EPA researcher Alan Carlin] said the EPA did not consider" before it submitted a key finding that could lead to EPA regulation of carbon dioxide. In fact, the claim that "global temperatures have declined for 11 years" is simply not true. Annual global average temperatures have both risen and fallen over the past 11 years, and while there have been some relatively cooler years during that period -- including a decline in each of the past three relative to the year before -- climate scientists reject the idea that those temperatures are any indication that global warming is slowing or does not exist. Scientists have identified a long-term warming trend spanning several decades that is independent from the normal climate variability -- which includes relatively short-term changes in climate due to events like El Niño and La Niña -- to which they attribute the recent relatively cooler temperatures.
In a February 11 Guardian op-ed, Vicky Pope, the head of climate change advice at the U.K. Met Office Hadley Centre, wrote that claims about the pace of global warming based only on developments in the past 10 years or in the 1990s are not valid, "since natural variations always occur on this timescale." She continued, "1998 was a record-breaking warm year as long-term man-made warming combined with a naturally occurring strong El Niño. In contrast, 2008 was slightly cooler than previous years partly because of a La Niña. Despite this, it was still the 10th warmest on record." According to the Met Office, "Over the last ten years, global temperatures have warmed more slowly than the long-term trend. But this does not mean that global warming has slowed down or even stopped. It is entirely consistent with our understanding of natural fluctuations of the climate within a trend of continued long-term warming."
As this graph of annual global average temperatures from the U.K. Met Office Hadley Centre shows, the claim in the internal EPA document that, in the words of CBS, "global temperatures have declined for 11 years" is simply not true:"