
Feds tell web firms to turn over user passwords - antman
http://m.cnet.com/news/feds-tell-web-firms-to-turn-over-user-account-passwords/57595529
======
noloqy
It is time for software companies to unite. Feds can't just continue roaming
around, asking companies for their users' password hashes and other things.

In the current state, some big companies have the means to fight such
requests, some big companies are very willing to cooperate, and small
companies rarely have the means to go into a legal battle.

Because of the current fragmentation and secrecy surrounding feds' requests
with software companies, users do not have the possibility of knowing what
they're in for with which company. Also, the divide and conquer tactics used
by the Feds really allow them to extract much more information than what would
otherwise be the case. Ideally there should be a union for software companies,
which makes agreements with the feds concerning their access rights;
agreements which then apply to all members of the union.

Currently I have two rules of thumb: 1) for critical services, avoid companies
located or significantly involved in the US or UK and 2) at all costs, stay
away from Microsoft.

~~~
rlvesco7
Do we think that services like Mint are handing over all our financial data to
the government (making it easy for them to have a picture of your entire
finances)?

If so, are there any viable, offline alternatives?

~~~
girvo
For what it's worth, I'm working on a Mint competitor of sorts (that takes
advantage of Machine Learning to automatically help you save. It will be based
in Australia, not the US, and the basic app will be released as open source
for personal self hosting.

~~~
Joeri
I don't think any country is safe at this point. TNO (trust no one) is the
only solution. Your cloud provider should have no ability to hand over your
data because they can't decrypt it themselves. For example, Lastpass has an
architecture where the passwords are encrypted and decrypted on the client,
the server never sees anything but pseudorandom noise, and you can audit their
browser addon to verify this. You can, with careful design, build many - if
not most - cloud services in this way.

~~~
girvo
That is exactly what we are trying to do. The problem is that is somewhat at
odds with machine learning in practice, but I have some ideas in the space.

------
Robin_Message
Hear me out: with a sensible court order and oversight, requesting a single
user's password makes a lot of sense. Let's say you've taken a suspect in to
custody, but want to capture their co-conspirators [1]. One way to do that
might be to impersonate them online so as to keep their plot moving forward.

In what ways is it in a different category to their phone company handing over
their call logs and getting someone to impersonate their voice (or send a text
message) to an associate?

A single password, in an active situation, with oversight [2], is a totally
different proposition from something like Prism or handing over SSL private
keys.

[1] Not sure about US law on entrapment, but "bring the kit, we're doing it
tonight, rendezvous is XYZ" and then seeing who turns up with what doesn't
sound like entrapment to me.

[2] I have no idea what oversight might or might not be applied. "No comment"
from the government is admittedly not an encouraging sign.

~~~
pfisch
No because competent companies don't just have peoples' passwords. They would
have to give the encrypted password, encryption method and salt which would
greatly weaken the companies own internal security because now a bunch of
people know a lot about the encryption system of the company and those people
can't be trusted to keep the information secure.

~~~
Xylakant
Good encryption systems assume that the algorithm is known and still are
secure in face of that requirement. So if publishing the method makes your
system insecure then it's already insecure by design. Security through
obscurity is not a viable approach.

~~~
eToThePiIPower
Yes, good encryption/hashing assumes the algorithm is known, but we're also
talking about the giving away the salt. The salt in a secure hash plays an
analogous role to the secret key in an encryption cipher; both are assumed
_unknown_ by an attacker.

------
forgotAgain
This strikes me as a very thin story with a lot of filler added. A red flag
for me with the article is that the headline uses the word "tell" while quotes
from anonymous sources use the word "request". There's nothing wrong with the
government asking for access to a user account if they have a legitimate (ie.
named) court order.

This is the most important story for this country since 9/11\. Third rate
journalism won't be part of the solution.

~~~
andrewcooke
You do recognise the author, right? It's not some random hack - Declan M has a
long history and a good reputation. I'd take his word over some random HN
doubter any time.

~~~
forgotAgain
Good reporting isn't about taking someone's word for something. It's about
facts. The story has little substance to it. Who wrote it is besides the
point.

------
jgeerts
Welcome to the world, this is a webcam, put it on your head so we can watch
your every move at all times.

What the hell is wrong with the government, is it really their business to
interfere with personal life? It's their job to facilitate the community, to
find solutions for peoples lives, this is not a solution, they are creating
overly complex problems, unnecessary spent money. We need less government,
less people there with less money, it seems they have too much of it and way
too much time.

~~~
nodata
That really is the missing piece in the puzzle: what on earth do they need
such deep and complete access into everyones' lives for?

~~~
sillysaurus
It's a government. Their natural desire is to govern lives.

------
downandout
I'm not sure how beneficial it is to ask for salted password hashes, when a
simple change in the wording of the request to a judge (or the FISA court
rubber stamp factory) would yield an order for the provider to capture and
turn over the plaintext password the next time the user logs in. US judges
will do almost anything they are asked, especially if the requesting agency
uses the "T" word. Either these agencies don't know what to ask for, or they
are already doing this and no one has written a story about it.

~~~
pestaa
What's the "T" word, please?

~~~
downandout
Terrorism.

~~~
pestaa
Thanks, obvious in hindsight.

------
8654395
Throwaway account just to post this. Of course the Feds will have access to
whatever they deem necessary even if it takes them time to get the pieces in
place. It's the users who ultimately lose the most.

I'm learning the hard way just how much the user is the one ultimately screwed
when it comes to account access. My father just recently died very
unexpectedly and tragically. He was generally retired but still doing a dozen
or so small tech consulting projects here and there and using his personal
accounts on Gmail/Facebook/etc. for everything.

Facebook simply will not give any family member access to a deceased person's
account. Google will consider it after you fill out a form and send them a
bunch of documentation. Then they will consider and may possibly end up
sending you off to get a court order and the like, but you're entirely subject
to their own decision about whether you can get access to your deceased family
member's main form of personal and business communication. You do _not_ own
your Gmail account, regardless of the shit they spout about you being able to
download your data using takeout. If your estate can't get "your" data, you
didn't really own it.

Yes, I know there are steps that could have been taken to have given access to
others on the event of one's death, but realistically what percentage of
Gmail/Facebook users have taken those steps? And why should those accounts be
different from normal digital accounts like bank accounts where a standard
court estate document is enough?

~~~
Karunamon
>Then they will consider and may possibly end up sending you off to get a
court order and the like,

So you expect them to accept any old paper that looks like a court order
without a vetting and verification process?

>If your estate can't get "your" data, you didn't really own it.

If you can't legally prove that you are part of "your" estate, then you're
SOL. And getting _anything_ done legally takes time. Sometimes lots of it.

~~~
8654395
I never said I expected them to accept a court order without verification.
Simply that there should not be discretion on their part if proper estate
documents are presented. They have made it clear that they have discretion, so
the account itself it not actually considered part of the estate by Google.

~~~
Karunamon
Ensuring that those documents are valid is considered "discretion"...

------
EnderMB
This is probably a stupid comment to make, but when the feds request these
passwords what is stopping a firm from giving over a set of tampered
passwords?

Let's say a request is made for Google give over loads of Gmail passwords.
Could they not silently implement an extremely strong password encryption on
the affected accounts, and hand over these passwords, knowing that the feds
wouldn't be able to crack them without a significant amount of time.

Also, are the feds likely to check to see if these passwords are legitimate?
If my password was 12345 and Google simply told them that my password was
54321 then how could the feds possibly know that the passwords sent over are
real?

EDIT: Obviously, I know this is highly illegal, and would land any company in
trouble. I'm just wondering whether, theoretically, this is possible for a
firm to do to circumvent any action from the feds.

~~~
rlpb
Silently sabotaging LEOs efforts like that would be rightfully highly illegal.
"Perverting the course of justice" in the UK. I assume there's a US
equivalent.

It's just not worth a company risking this kind of tampering. They could go to
jail for that.

By all means, companies should fight back legally, and it sounds like they all
are. I applaud them for that. But I think it's unreasonable to expect them to
break the law for you.

~~~
EnderMB
You're absolutely right. However, is it a crime that could be tracked, without
an employee explicitly whistle-blowing to the feds? Even then, could the feds
prove this? I'm no expert, and I'm probably wrong in saying this, but in my
mind it'd be near impossible to prove that a provided hash had been tampered
with, instead of a user just changing their password.

It's morally wrong, and obviously I'm not saying it's the way to go. It's just
a theory that I had, and I wanted to know if it was feasible for a company to
do this.

~~~
TomNomNom
FWIW if a fed has an account with the service (which is fairly likely for big
services like Gmail et al), and knows the hashing algorithm (if they've
successfully got the passwords this is pretty likely too) they could prove it
easily by hashing their password themselves and comparing it to the stored
version.

------
oelmekki
We really need to systematically implement in our login systems what many ssh
access does when you login : "Hello <username>. Your last login was at <time>
from <ip>".

It won't solve the problem, but it'll certainly help a bit.

EDIT after a few comments :

This will not make it impossible to steal identity. But this will cost us
almost nothing and imply high cost for spooks : if you have a user password,
you can use it on many website, for common users, without the related company
even knowing it. If you implement last login timestamp, it's something you can
do within hours, without any need for heavy architectural changes, and it will
cost a lot to spooks to try to fake it on every websites, for a large amount
of users.

Cheap to us, costly to them. That's the way to go for me.

~~~
BadassFractal
Is there anything to prevent them from creating a separate unlogged login
system specifically for this kind of use?

~~~
oelmekki
Nope. We can't achieve total security. One may argue it's a good thing : there
actually are a few bad guys, out there.

But the cost to apply this to every single website they want to spook on will
be prohibitively high to implement massive use.

------
falk
This is why I won't be using iCloud Keychain.

~~~
rahoulb
Depends how it is implemented.

LastPass say that all your details are encrypted client-side via your master
password, so they cannot access anything of yours.

There's nothing to stop Apple doing the same - but I suspect they won't.

~~~
drivingmenuts
On the other hand, Apple _might_ be rethinking that policy right now.

I hope they are, anyway.

------
josteink
OwnCloud is just looking better and better.

~~~
benev
I set it up just to have a play with after the PRISM story broke, and I've
been really impressed. Now, if only OX office [1] finally gets released, I'll
have all my cloud stuff running on my own server.

[1][https://www.ox.io/](https://www.ox.io/)

EDIT: It's OX Text I'm most after
([https://www.ox.io/ox_text](https://www.ox.io/ox_text))

~~~
pestaa
Is there anything else you're running besides ownCloud and soon OX?

~~~
benev
Not at the moment. ownCloud does my file backup and sync between devices,
calendar, cloud music player and to-do list manager.

I'm considering setting up my own e-mail system, but haven't gotten around to
it yet.

EDIT: Actually, I forgot I installed Piwik for web analytics. Not that it's in
any way needed for what I do, but I wanted to see what it's like. I was
impressed, but haven't pushed it yet.

------
fexl
They're also demanding private SSL keys:
[http://news.cnet.com/8301-13578_3-57595202-38/feds-put-
heat-...](http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-
firms-for-master-encryption-keys/)

In that case they can easily sniff passwords as they are used.

~~~
dhimes
This is actually the bigger story because it's a smarter way for them to go
IMHO.

------
elchief
How fast could the NSA crack a BCrypt-hashed password?

~~~
svantana
it depends on whether your password is "kittenz" (one minute) or
"A39cBiwe&4j2fqVz1uQ" (years and years)

~~~
hahainternet
No. It depends on the number of rounds.

------
chrischen
Aren't most passwords 1-way hashed? Seems like this is only going to give them
access to low-level passwords.

~~~
nwh
Meant to be, but most aren't. I know that my bank, ISP, and mobile carrier all
store my passwords in plain text.

Along with all these jokers —
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

~~~
chrischen
Someone should create a third party certification program where they take a
look at your password storage code, and if it uses industry best practices,
you can display a badge on your site.

~~~
venomsnake
And what prevents me to create a simple page that redirects to plaintext on
login if given an order after the audit. With NSL currently the situation is
whatever lola wants, lola gets.

~~~
stan_rogers
There's no need to; the password plaintext is available _during_ the login
process anyway. There's a difference between not _storing_ it and not _having_
it. All that would be required, really (assuming you don't want to store
passwords, but are terribly, terribly concerned with the ability to extract a
particular passwords under particular circumstances) is a conditional that
shunts the plaintext somewhere before the login script/module dies. The login
then continues as normal, but the bells and sirens go off and the plaintext
password is available outside of the system. This, though, depends on user
login after the fact, so to speak; turning over the hashes may mean more work
for the interested authorities, but it won't depend on new logins.

------
zedstar
So all we need to do is change our password every day or so? As long as it is
faster than the bureaucracy?

~~~
wesley
Some kind of automated solution to handle this would be nice. Think 1password
with automated password changes daily.

How hard can it be? It can already log in by itself, now it just needs to know
the page where you can change your password.

~~~
AlexeiSadeski
Then the Feds will just get the info straight from 1password - or whichever
password manager implements such a plan.

Really, the only solution to this kind of thing is offshore corps.

~~~
Styn
1Password doesn't store your passwords, it generates them on the fly. You
would need to hand over your encrypted password storage and your passphrase.
Both of which 1Password has no control over.

~~~
nwh
That's not entirely correct.

1Password is a local, encrypted store of known passwords. Nothing is
generated, except for the original passphrases themselves, which are
completely random (not from a seed).

~~~
Styn
Yeah, I was a little too quick in writing that. What I meant to write was that
1. passwords are stored locally and 2. you have the option to generate
passwords with predefined complexity parameters. It would be possible to use
this password generating feature to update your passwords automatically at a
set interval.

------
saurabhnanda
How does this play with DMCA anti-circumvention provisions?

------
diminoten
Why do web firms have my passwords in the first place?

------
cs648
Was this image[1] generated by Instacode[2]?

[1]
[http://asset2.cbsistatic.com/cnwk.1d/i/tim2/2013/07/25/bcryp...](http://asset2.cbsistatic.com/cnwk.1d/i/tim2/2013/07/25/bcrypt_610x357.png)
[2] [http://instacod.es](http://instacod.es)

~~~
declan
Nope! I did it the old fashioned way with a Canon 1Ds Mark III and a macro
lens.

------
hawleyal
I don't store plaintext passwords. Nor should anyone else. Only a hash and
salt.

~~~
stan_rogers
Hash, salt _and algorithm_. That will allow you to upgrade the algorithm or
work factor as your server becomes more capable (or if a deficiency in the
algorithm you're using is identified), authenticate the user under the old
system and re-hash on the fly, all seamlessly to the user. (If you're
depending on the algorithm being a "secret sauce", you're doing it wrong.)

------
downandout
If you communicate information to a third party, it is vulnerable to
disclosure. End of story. Either encrypt it or don't, and if you don't, then
you don't complain if you find it being used against you in the future.

~~~
precisioncoder
That sounds to me similar to the sentence: "Either wear a bulletproof vest or
don't, and if you don't then you have waived your right to get upset if you
get shot in the chest in the future." You always have the right to be upset if
a third party accesses your data. Getting upset about unjust things is exactly
how changes happen that make the world a better place. I understand that it's
important to take safeguards but not everyone has the technical expertise or
interest to protect their data. Many people don't even realize that the
problem exists.

