×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Allegedly Demanding User Passwords From Services

Unknown Lamer posted about 9 months ago | from the trust-no-one dept.

Privacy 339

An anonymous reader writes "Following the /. story on the Feds demanding SSL keys, now comes news that the feds are demanding user passwords, and in some cases, the encryption algorithm and salt used. From the article: 'A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" ... Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. ... Other orders demand the secret question codes often associated with user accounts.' I'm next expecting to see the regulation or law demanding that all users use plain text for all web transactions, to catch terrorists and for the children."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

339 comments

Sigh. (5, Insightful)

Aerokii (1001189) | about 9 months ago | (#44391655)

Coming up next, our newest feature: Things I wish surprised me, even a little.

Re:Sigh. (3, Insightful)

Anonymous Coward | about 9 months ago | (#44391733)

Aye, as if it wasn't already easy enough for them to frame someone.

Re:Sigh. (4, Interesting)

NeutronCowboy (896098) | about 9 months ago | (#44391737)

As sad as it is, I have to agree. This doesn't surprise me one bit. I mean, investigating is hard! Can't have criminals hide behind things like strong encryption! Ergo, no one can use encryption.

That said, I'm hoping we're slowly getting to a tipping point on the entire privacy vs security discussion. 9/11 has happened long ago enough that the knee-jerk reactions are dying down, and people are starting to question what we're doing in order to make sure 3000 people don't die over the course of a few years.

Re:Sigh. (4, Insightful)

Anonymous Coward | about 9 months ago | (#44391989)

Don't worry, there will be another false flag 9/11-style event. People will give up more freedom and privacy. You can be guaranteed of that.

Re:Sigh. (0, Troll)

hedwards (940851) | about 9 months ago | (#44392005)

Another? I think you have bigger issues than the government, sounds like you need a refill on that Thorazine.

Re:Sigh. (5, Insightful)

Anonymous Coward | about 9 months ago | (#44392157)

It's not just 9/11, the fear of foreigners and the entire "it's us vs the world" attitude has become so ingrained into the American psyche that it'll take several generations to de-program them. Even now those Americans who are raising questions are only protesting against spying on American citizens, as if American citizens are more special than the rest of us humans.

As long as the American people, and not just the government, continue their xenophobia they will just keep shooting themselves in the foot. None of us in the rest of the world want to have anything against USA, but the Americans keep doing everything they possible can to make the world hate their guts.

Re:Sigh. (1, Insightful)

Aboroth (1841308) | about 9 months ago | (#44392385)

None of us in the rest of the world want to have anything against USA, but the Americans keep doing everything they possible can to make the world hate their guts.

It would help if "the rest of the world", including you, stopped saying phrases about how they hate our guts, instead of just criticizing the government. It is unnecessarily antagonistic language. A good portion of us over here don't like what is going on. How about being supportive instead of antagonistic?

Re:Sigh. (2)

Hatta (162192) | about 9 months ago | (#44392299)

We are getting to a tipping point in the privacy vs security discussion. Insecurity is winning.

Move your services. (3, Informative)

snarfies (115214) | about 9 months ago | (#44391673)

I needed to switch providers during the whole SOPA debacle, and decided it was a primo opportunity to move to an overseas VPS. I made sure to pick one that has no presense in North America. And now I'm glad I did.

compelled speech and/or perjury? (5, Insightful)

DoofusOfDeath (636671) | about 9 months ago | (#44391689)

Can the government force me to make a public statement, attesting that it's true?

Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.

Re:compelled speech and/or perjury? (1)

egamma (572162) | about 9 months ago | (#44392389)

Can the government force me to make a public statement, attesting that it's true?

Because it seems to me that the government using my private keys to sign a packet that I didn't create is substantially similar.

Bull. It's no different than the government forging your signature. They aren't compelling speech, they are forging a document.

Re:compelled speech and/or perjury? (0)

Anonymous Coward | about 9 months ago | (#44392421)

They are not the same. When the government uses your private keys to sign a packet you don't know about it (unlike when you are forced to perjure yourself in public).

Re:compelled speech and/or perjury? (3, Insightful)

Eclectic Engineer (830396) | about 9 months ago | (#44392429)

I would agree in principle. Though if the government is able to obtain said keys from someone other than yourself, they weren't really "private", were they?

Time to send out the papers... (4, Interesting)

3seas (184403) | about 9 months ago | (#44391693)

... of which The Declaration of Independence, The US constitution and Bill or Rights are.

Most notably is The Declaration fo Independence that makes it clear it is not only our right but duty to put off bad government.

And that is all the response any Founder supporting company need supply any spying government agency.

Its time to show who is a real US Citizen.

Re:Time to send out the papers... (4, Insightful)

SJHillman (1966756) | about 9 months ago | (#44391741)

Just start emailing copies of those documents to people on a regular basis and see how long before the government calls you a terrorist and arrests you for inciting revolt.

Re:Time to send out the papers... (5, Insightful)

hedwards (940851) | about 9 months ago | (#44392027)

Considering that the Tea Party hasn't been declared as such and that there has yet to be even one sedition trial for those numb nuts in congress that signed that fealty pledge to Grover Norquist, I think that it's rather unlikely that they'll charge you for sending people those documents.

Re:Time to send out the papers... (2)

schwit1 (797399) | about 9 months ago | (#44392121)

Not in so many words. But they have been targeted by the IRS and prohibited from attending public events [nationalreview.com] because they don't agree with this administration.

Re:Time to send out the papers... (1, Insightful)

Anonymous Coward | about 9 months ago | (#44392185)

Liberal groups were targeted by the IRS as well. Try to keep up.

Re:Time to send out the papers... (5, Informative)

NeutronCowboy (896098) | about 9 months ago | (#44392367)

While true, it leaves out the fun fact that this has been happening to many, many other organizations. See: http://www.npr.org/blogs/itsallpolitics/2013/06/25/195599362/Democrats-Want-Answers-On-Progressives-Targeted-By-IRS [npr.org]

So no, the IRS wasn't targeting those groups because they don't agree with the administration. It targeted those groups because claiming 501c(4) status while advertising politically charged terms is a red flag. Finally, the link you're including has nothing to do with the IRS, with participating in public discourse or even with political discrimination. These speeches are PR events. As such, they are fairly tightly controlled. And quite frankly, I'm rolling my eyes at the comment that "we just wanted to watch the speech". I'd like to hear this story from some non-GOP-propaganda outlet before I even look further into it.

Re:Time to send out the papers... (-1, Flamebait)

jpstanle (1604059) | about 9 months ago | (#44392149)

What do a bunch of anarcho-capitalist lapdogs and religious nutjobs have to do with protecting the Constitution and defending Liberty?

Re:Time to send out the papers... (2)

ttucker (2884057) | about 9 months ago | (#44392183)

What do a bunch of anarcho-capitalist lapdogs and religious nutjobs have to do with protecting the Constitution and defending Liberty?

In your view, who does have anything to do with defending the Constitution and Liberty?

Re:Time to send out the papers... (0, Informative)

Anonymous Coward | about 9 months ago | (#44392087)

Many people around here don't even know what those documents are. About 5 years ago our public schools removed the founding documents from the curriculum. They are no longer taught WHY the revolution was fought, except that it was because wealthy Americans didn't like paying taxes. Honest to God.

There is no mention of the Constitution, the Bill of Rights, the Declaration of Independence, nor the Federalist Papers. Students who bring them up and ask about them are told that it is not part of the curriculum and because of lack of funding they can't spend any time talking about them.

Way to go.

Re:Time to send out the papers... (1)

ttucker (2884057) | about 9 months ago | (#44392209)

In my high school American History class, we mostly learned how white people oppressed some people or other people at various times, and that we should become activists to affect society with communist changes.

Re:Time to send out the papers... (3, Insightful)

NeutronCowboy (896098) | about 9 months ago | (#44392381)

In my high school American History class, we mostly learned how white people oppressed some people or other people at various times,

Please explain to me how that is incorrect or even not one of the top 5 most important characteristics of the development of the nation.

Re:Time to send out the papers... (4, Informative)

istartedi (132515) | about 9 months ago | (#44392037)

How about an Article V Convention [wikipedia.org] first? AKA, a broad slate of amendments that would create a new Constitution. It would literally be a New Republic. Larry Sabato from my alma mater wrote a book about this. I don't agree with very many of his proposals though. That's the problem with such a convention or a revolution. You never know what you're going to get. So. I think this has to fester a bit more. Let's try the Article V convention first though, before we reach for the musket. It's actually a fairly extreme parliamentary maneuver, and allegedly Congress has acted under the threat of article V before.

the war is over (3, Insightful)

Anonymous Coward | about 9 months ago | (#44391701)

and stupid has won.

Re:the war is over (-1)

Anonymous Coward | about 9 months ago | (#44391871)

And won again in 2012.

Re:the war is over (2)

Salgak1 (20136) | about 9 months ago | (#44391981)

Hint: it's been winning for decades. The only competition is in FLAVORS of Stoopid. . .and its' latest spokespuppets. . . .

Re:the war is over (3, Insightful)

hedwards (940851) | about 9 months ago | (#44392047)

Yeah, because clearly McCain and Romney would have been less quick to take our rights away from us.

Ultimately, as long as there are voters that support this sort of bullshit it's going to continue. Obama was less likely to engage in this than any of the GOP options were.

Re:the war is over (3, Insightful)

0123456 (636235) | about 9 months ago | (#44392417)

Obama was less likely to engage in this than any of the GOP options were.

The difference is, when Republicans do something like this, the media print stories about how it's bad and should be stopped and Democrats would never do such a thing. When Obama does something like this, the media print stories about how wonderful he is and nothing he does could ever be bad.

wow. we keep going more and more insane. (1)

WindBourne (631190) | about 9 months ago | (#44391707)

I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity. No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.

Re:wow. we keep going more and more insane. (5, Insightful)

ebno-10db (1459097) | about 9 months ago | (#44391761)

No doubt this is because terrorists/spies have changed tactics

Or simply because the Feds can get away with it. KGB wannabees are like any other power hungry bastards - give them an inch and they'll take a mile. They want more because they want more. There may be some excuses they use to justify it, but the real reason is simply that they want more.

Re:wow. we keep going more and more insane. (4, Insightful)

aeranvar (2589619) | about 9 months ago | (#44391913)

The terrorists/spies have definitely changed tactics. They're putting on government uniforms now.

Re:wow. we keep going more and more insane. (3, Insightful)

Nyder (754090) | about 9 months ago | (#44392307)

I have supported the use of records and even following connections from a known terrorist, but this is insane. Pure insanity.
No doubt this is because terrorists/spies have changed tactics, but still this is the wrong way to take solve this.

Terrorist haven't changed tactics. Look at the Boston Bombers, the NSA had been spying on us for years at that point.

Did they know about it? NO.
Did they stop it? NO.

So them spying on everyone is a waste of time if they can't catch any terrorist with it. In fact, they are being the terrorist against their own population by this and other actions they have been doing.

Standing up to the Feds (1)

AndyAndyAndyAndy (967043) | about 9 months ago | (#44391709)

"There's a lot of 'over my dead body.'"

I wonder how that really works out, in the long-run. What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

Re:Standing up to the Feds (1)

sjwt (161428) | about 9 months ago | (#44391771)

More to the point how many "over my dead body" statements last longer than a night in lockup, let alone awaiting a trial.

Re:Standing up to the Feds (0)

Anonymous Coward | about 9 months ago | (#44391803)

No, I'm going to show absolutely no spine at all, and give the authorities everything they want without question, including oral if asked, and then go "yes sir" and then go curl up in a corner and sob like the little bitch that I am, just like 99% of all Americans would do. Duh.

Re:Standing up to the Feds (2)

intermodal (534361) | about 9 months ago | (#44391805)

I absolutely would, especially as a start-up. Buckle when you're small and you'll lose what customers you have and go out of business.

Re:Standing up to the Feds (3, Insightful)

blackraven14250 (902843) | about 9 months ago | (#44391879)

Considering that the vast majority of people, up until now, would've never known for sure that you buckled to government pressure, you're thinking in a far more optimistic plane than reality. In reality, you, as a small business owner, would buckle, nobody using your service would know about it unless you announced it outright, and it would affect your business in absolutely no way at all.

Re:Standing up to the Feds (1)

intermodal (534361) | about 9 months ago | (#44391957)

You might think that, but no, I would have refused even a year ago.

Re:Standing up to the Feds (3, Insightful)

hedwards (940851) | about 9 months ago | (#44392081)

Assuming you knew. In practice the worst of this is done under gag order so that nobody knows which services are engaged in this sort of illegal spying. And thanks to the numb nuts that W had installed on Supreme Court, it's even harder to get the constitution enforced than it used to be. Damned activist judges.

Re:Standing up to the Feds (2)

intermodal (534361) | about 9 months ago | (#44392345)

If you're looking to get into that fight, go elsewhere. I've had enough of bickering with partisan trolls today. It's always a crapshoot as to which major party's political trolls will show up on a given day.

Re:Standing up to the Feds (5, Insightful)

dougmc (70836) | about 9 months ago | (#44392039)

What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

If you have little legal know-how and are confronted with an important legal issue that could have serious ramifications if you screw it up, you consult with a lawyer.

If you are smart, this is always the case, be you a startup, a large company or an individual.

A small company probably won't have a lawyer on payroll, but certainly, they can still pick up the phone and call one. It'll cost some money, yes, but even small businesses need lawyers for lots of things, so the concept should not be foreign to them.

Now, if you're saying that "legal know-how" means knowing when an issue is important and could have serious ramifications, well, that doesn't require much skill. If you receive a demand from the government of any sort and it's not something you're familiar with, a quick consultation with a lawyer would be prudent. Especially if it just plain sounds wrong.

Now, your lawyer may very well advise you to just give them what they want, but still, asking him was the right thing to do.

A bigger problem is the gag orders that tend to come with these orders, where you can't even tell somebody that you received them. You can generally still consult with a lawyer, but even so, they really do fly in the face of the rights we used to think we have.

Re:Standing up to the Feds (1)

amicusNYCL (1538833) | about 9 months ago | (#44392443)

What if you're an online start-up, with little legal know-how? Are you really going to resist demands from such a high level?

Sort of depends on your ethics and principles, doesn't it? If it's important to you to defend the constitution and your rights, then yeah I hope that you would resist those demands. It's about principles, if the reason you're doing business in the US is to make money, then you probably don't care. If the reason you're doing business in the US is because you like the US and what the founders stand for, then hopefully you'll grow a spine and stand up for your principles, with the knowledge that they might try to make an example out of you.

Name and Shame (1)

Anonymous Coward | about 9 months ago | (#44391721)

It's a pretty pointless article if you don't name the company.

Hmmm... (5, Funny)

girlintraining (1395911) | about 9 months ago | (#44391735)

They can ask. All passwords are one-way hashed using a 16384 bit salt and run through 4,000 rounds of AES before being stored in the database. Over there in the corner is our custom-built core which does the password retrieval, comparison, and pass-fail out onto a RADIUS server. The network name is NSA_COCKBLOCK... feel free to have a copy of the algorithm and database.

Re:Hmmm... (2)

greg1104 (461138) | about 9 months ago | (#44391893)

I run my passwords through a full 12,000 rounds of ROT-13.

Re:Hmmm... (3, Funny)

DigitAl56K (805623) | about 9 months ago | (#44392359)

The ROT-13 jokes are really getting old, and anyone who cares about their security has already upgraded to ROT-26.

Re:Hmmm... (0)

Anonymous Coward | about 9 months ago | (#44391929)

Perhaps in your wet dreams. In reality, it's more like: "Oh...yeah, sure. But we also have a plaintext copy of the password data lying around somewhere, wouldn't that be better for you?"

Re:Hmmm... (0)

Anonymous Coward | about 9 months ago | (#44391987)

Well if the password is encrypted with AES, it can be decrypted. You probably want to use a hashing algorithm like bcrypt instead of encryption. You really don't WANT to be able to retrieve the user password. You just want to ensure that the hash matches.

Black Hat hears, and thinks... (2)

rsborg (111459) | about 9 months ago | (#44391743)

How can I get a piece of this action - it's probably not impossible to impersonate the Fed to get companies to cough up their entire user credential stores... just a few large-bag hit and runs could net millions in CC#.

Re:Black Hat hears, and thinks... (4, Funny)

ebno-10db (1459097) | about 9 months ago | (#44391825)

just a few large-bag hit and runs could net millions in CC#.

Credit cards? You think small. How about getting access to the Federal Reserve? Considering all the money they give away to bail out financial institutions that should be in receivership, you could probably take a few billion and it would be dismissed as a rounding error.

Re:Black Hat hears, and thinks... (0)

Anonymous Coward | about 9 months ago | (#44391873)

Do you really think they ask for the data they need? The system is set up so that the information is reported in at regular intervals.
You can't ask for the data, you need to re-route the communication already in place.

Re:Black Hat hears, and thinks... (5, Interesting)

Em Adespoton (792954) | about 9 months ago | (#44392127)

I've always wondered... what stops people from issuing fake FISA orders? I mean, if anyone challenges them, you just say they don't have the clearance. FISA *IS* catch-22.

You can't even go after someone issuing such an order with "impersonating a federal officer" -- as unless you're the President of the US, /how would you know/?

I imagine a terror group could make a pretty quick job of any public works under the guise of FISA.

Re:Black Hat hears, and thinks... (0)

Anonymous Coward | about 9 months ago | (#44392263)

Impersonate? Get a job at one of the NSA subcontractors, grab the data you want and run.

large Silicon Valley company? (0)

Anonymous Coward | about 9 months ago | (#44391745)

Come on, tell us who you are so we can not use you any more.

Wow (1)

slashmydots (2189826) | about 9 months ago | (#44391759)

So now we're doing redundant text in a summary that references a redundant story that was an accidental dupe of another redundant story. It's slash-ception!

"The Cloud" (0)

Anonymous Coward | about 9 months ago | (#44391781)

Was such a terrible idea.

Not surprised (0)

Anonymous Coward | about 9 months ago | (#44391793)

Solution? Don't know your users' passwords. Store the hash, but send the salt to the user. Require both on log-in. Not sure how to ensure the salt stays secure en route, though. Require users have PGP? Send it snail mail in a sealed envelope?
 
Of course, this would have the side effect of limiting one's customer base.

Re:Not surprised (0)

Anonymous Coward | about 9 months ago | (#44391881)

I've been wondering why not just use the password to generate a salt for itself? Would this increase collisions or something?

Re:Not surprised (1)

Anonymous Coward | about 9 months ago | (#44392089)

the purpose of the salt is so that if 2 users have the same password they the salt is combined with it when it is encrypted so that the encrypted hash comes out different for both users.

that way if the attacker gets ahold of the DB containing all the encrypted passwords and they happen to figure out what one of the passwords are, they can't just search the db for someone else that has the same encrypted hash and then know that user also used the same password.

Re:Not surprised (0)

Anonymous Coward | about 9 months ago | (#44392091)

If you can generate the salt, then you can generate the hash, then you can generate a rainbow table.

Re:Not surprised (1)

jakimfett (2629943) | about 9 months ago | (#44392125)

I do something similar to this. The salt is actually a 3 part key. The middle bit is a "preset" key generated per deployment, the bits on each end are the username and password, respectively. Then I run it through a round of Whirlpool [wikipedia.org].

Re:Not surprised (4, Informative)

blueg3 (192743) | about 9 months ago | (#44392063)

The way salt works, there is no reason to keep it secret. You don't need to secure it from disclosure at all.

What you're describing is simply a shared secret. (That is, the same piece of data is held by both parties.) This is fundamentally no better than having a password and storing the password itself (in which case the password is a shared secret) -- the only difference is that it's not provided by the user, so it can be high-entropy.

Generally having a shared secret for authentication isn't nearly as secure as having a secret that you know but the other party can verify without storing that secret. For instance, the other party storing a hash of your password.

Incidentally, if you want to establish a shared secret between two parties, the way to do this is the Diffie-Hellman key-agreement protocol. It results in both parties ending up with the same shared secret by transmitting messages that are publicly-readable without giving anyone reading the messages enough information to construct the secret.

How to protest (0)

Anonymous Coward | about 9 months ago | (#44391801)

Everybody, change your password to "Password" so that they think their algorithms don't work.

Re:How to protest (2)

Em Adespoton (792954) | about 9 months ago | (#44392179)

change your password to "aeb30d1be48a8ed9" and store it in plaintext :D You could add some salt, I guess, but that'll leave them guessing either way....

Re:How to protest (1)

bmo (77928) | about 9 months ago | (#44392237)

All of my passwords look like that. Randomly generated with special characters. Typically 25 chars long.

They are in a password manager. I don't have to remember them at all. It's easier than having passwords I can remember but are easier to guess/can be found by rainbow table.

--
BMO

Quickly!! (0)

Anonymous Coward | about 9 months ago | (#44391829)

Type your password under this thread to have it on a "Do not collect" list.
Its okay, this thread will show it to you but not others. here's mine
***********

how to make bureaucrats value privacy (5, Insightful)

bzipitidoo (647217) | about 9 months ago | (#44391839)

Names. Give us some names. I'd like to know who are these bureaucrats who ask for passwords? Then, I'd like to see them sweat over the possibility they might be censured, might lose their jobs.

Let them experience how thrilling it is to have their dark glasses taken away, feel what it's like not to be faceless anymore. Then, maybe they'd appreciate privacy a little more.

Re:how to make bureaucrats value privacy (1)

ArcadeX (866171) | about 9 months ago | (#44392033)

bureaucrats are protected, it's the agency pukes that are making the request and only the 'secret court' knows which bureaucrats are involved, and that's a national security issue... even if it weren't, crooks get re-elected on a regular basis and jonh q public doesn't care about evil technology issues... THINK OF THE CHILDRENS!

Is this different from perlustrating mail? (1)

mi (197448) | about 9 months ago | (#44391889)

How is this different from perlustration of regular mail and bugging the phone wires? I did not like those either, but I don't see this new development as particularly illegal...

Re:Is this different from perlustrating mail? (3, Informative)

Todd Knarr (15451) | about 9 months ago | (#44392085)

  • Both of those require a specific warrant and justification of the need for the intercept. Neither gives unlimited access to things other than the mail or phone calls. Having my password, by comparison, gives them unlimited access to everything on that account whether it's related to their investigation or not.
  • Neither of those give the police unlimited ability to impersonate me. Having my password, by comparison, allows the police to change anything on my account and add new things if they want, and every record and audit trail will show that I did those things.

NB: the second is why sysadmins don't log in as root and don't request user passwords. Logging in as their ordinary user and then su'ing to root leaves a record in the audit log of which sysadmin was doing what as root. And if we need to access your account as you, su'ing to root and then to your account leaves a record of which sysadmin was responsible for the access.

Re:Is this different from perlustrating mail? (1)

Wahakalaka (1323747) | about 9 months ago | (#44392141)

IIRC you need a warrant for perlustrating mail and bugging phones. Not sure that's what's happening here...

Companies shouldn't have this anyway (4, Interesting)

gnasher719 (869701) | about 9 months ago | (#44391891)

1. A company shouldn't have my password stored anywhere in a form that they can decrypt it.
2. A company shouldn't have the answers to my security questions stored anywhere in a form that they can decrypt it.

That makes it very easy then: "We would gladly comply with your request, but sorry, we can't".

Re:Companies shouldn't have this anyway (0)

Anonymous Coward | about 9 months ago | (#44392103)

The problem is, that's not really possible. At some point, you have to know the user's password. That point is usually when they send it to you to authenticate. One line of code (being forced to add) in any system in the world will divert all authentication attempts to a log file in addition to being hashed and compared to the "officially stored" password. A few extra lines of code and it's only successful authentication attempts that get logged.

Re:Companies shouldn't have this anyway (1)

MetalliQaZ (539913) | about 9 months ago | (#44392167)

Actually, no. That isn't true. They never need to know the actual password.

Re:Companies shouldn't have this anyway (3, Insightful)

grumpy_old_grandpa (2634187) | about 9 months ago | (#44392469)

GP is right: Somewhere in the code, the password has to be kept before it is passed on to the hashing function. His point was that the system maintainer might be forced by a spy agency to alter the code so that the password variable is not temporary, but instead logged in persistent storage.

But even disregarding NSA, the link between the authentication system and the UI is usually the weakest. That's where we see attacks like key-loggers, phising scams, attack on secure memory, etc. Again, it proves his point: The password will be known by some part of the system, even if it's temporary, before it is passed on for hashing or validation.

Re:Companies shouldn't have this anyway (1)

Wahakalaka (1323747) | about 9 months ago | (#44392117)

What do you do when they tell you to put in new code to intercept login credentials prior to encryption and send it to them? =[

Re:Companies shouldn't have this anyway (1)

jakimfett (2629943) | about 9 months ago | (#44392155)

This. Anything security related needs to be encrypted. And plaintext sensitive information is just wrong. Every time a service emails me my password instead of requiring me to set a new one, I cringe, and when possible, send an email to the admin or owner of the service before deleting my account.

I hope they ask SpiderOak for mine (1)

Overzeetop (214511) | about 9 months ago | (#44391899)

I'd just like to be there to see the blank stare.

Re:I hope they ask SpiderOak for mine (1)

ArcadeX (866171) | about 9 months ago | (#44392131)

Sign up for a new account under the name 'snowden' and i bet spideroak will be 'under new management' in less than 24 hrs, with all traffic being 'verified' be a new server complex...

. . for the children. (1)

Anonymous Coward | about 9 months ago | (#44391907)

Those damn kids will be the death of us yet.

simple (1)

Yaur (1069446) | about 9 months ago | (#44391971)

Its just not technically possible and not something that my company would ever do because it would destroy the integrity of audit logs.
If they really need to have access as a specific user we have an impersonation feature (for tech support) that allows one user to perform actions in the system with the rights of another, except that the logs still tell us who is actually doing stuff. Seems like a much better way to deal with this kind of request.

Re:simple (1)

omglolbah (731566) | about 9 months ago | (#44392241)

Unless you're impersonating user A to get users B, C and D to do something stupid, or share something important.

And of course you do not want to leave anything in audit logs to prove that you did, because the only legal protection you have impersonating user A is that nobody knows how your agency is interpreting the law. Until they do, you act in good faith that what you are doing is legal...

Or some bullshit reason like that.... I do not agree, but I see how it tends to be explained away these days *sigh*

*yawn* (0)

Anonymous Coward | about 9 months ago | (#44392003)

When are the Kardashians on?

This is all USAsians care about, anyway. Nobody gives a shit about what government does to them as long as they have their bread and circuses.

I would say we are Rome, but I have to believe that Rome actually fell before it got this bad.

No names? (1)

fustakrakich (1673220) | about 9 months ago | (#44392015)

Fuck you. I don't believe it then.. Or it's just better to assume the worst, that they all give up your info while putting up a show of 'resistance'.

Whatever... This is what you people voted for so maybe you should redirect your feeble outrage.

How this relates to Snowden (4, Insightful)

grasshoppa (657393) | about 9 months ago | (#44392023)

I find myself wondering how much of this ( master keys, passwods, ect.. ) we'd be discussing NOW had it not be for Snowden having the balls ( if not the brains ) to leak what he's leaked.

Note to future leakers: Make sure you work out your living situation BEFORE pissing off one of the largest governments in the world.

Ja wohl, Heil... to whom...? (-1)

Anonymous Coward | about 9 months ago | (#44392041)

Now, I'm confused too. What is it bicurisousity?

Someone is going to have to put a tool in orbit (1)

Marrow (195242) | about 9 months ago | (#44392193)

Some kind of orbital strongbox that will act as the world's encryption key fob. Something that dodges around in an irregular orbit and explodes if anyone gets close to it.

We're letting Gov do this (1)

GodfatherofSoul (174979) | about 9 months ago | (#44392245)

Until Americans man up and accept the reality that Big Brother can't guarantee 100% security, they're going to keep doing this. I'm disheartened by how relatively low disapproval for these practices is. I think I heard only 56% against. In the US, I would expect those numbers to be astronomical.

Surprising there isnt more sub channel news (4, Interesting)

Marrow (195242) | about 9 months ago | (#44392269)

About these penetrations. You would think there would be daily broadcasts from anonymous or somebody indicating which systems have been hacked by the government. Its like people arent talking about it much at all.

How did that go again? (0)

Anonymous Coward | about 9 months ago | (#44392301)

Something about a tree of liberty and tyrants, wasn't it?

Follow the Money (0)

Anonymous Coward | about 9 months ago | (#44392325)

You may not stop much terrorism with this kind of monitoring, but you sure could make a lot of money.
If you don't understand that, just wait.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...