ARRA News Service
News Blog for social, fiscal & national security conservatives who believe in God, family & the USA. Upholding the rights granted by God & guaranteed by the U.S. Constitution, traditional family values, "republican" principles / ideals, transparent & limited "smaller" government, free markets, lower taxes, due process of law, liberty & individual freedom. Content approval rests with the ARRA News Service Editor. Opinions are those of the authors. While varied positions are reported, beliefs & principles remain fixed. No revenue is generated for or by this "Blog" - no paid ads - no payments for articles. Fair Use Doctrine is posted & used.
Blogger/Editor/Founder: Bill Smith, Ph.D. [aka: OzarkGuru & 2010 AFP National Blogger of the Year]
Contact: editor@arranewsservice.com (Pub. Since July, 2006)
    Home Page
   

One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors. -- Plato (429-347 BC)

Friday, July 26, 2013

Feds Push Web Businesses To Surrender User Account Passwords

Ron Wyden
Ran Paul
"If I have Internet service and they want my records on somebody, they don’t tell me or a judge. We have no idea. There is no probable cause. This person might be relevant, which could mean anything, however tangential. If I don’t reveal those records, I go to jail. If I tell my wife they are asking for my records, I could go to jail. This secrecy on millions of records, this trolling through millions of records is un-American. It is unconstitutional." - Senator Rand Paul (R-KY)

"The authority of the government is essentially limitless" under the Patriot Act's business records provision. - Senator Ron Wyden (D-OR)

Dr. Bill Smith, Editor:: While "computer geeks," "web designers," etc. may have noted the following CNET article, most other people did not note this latest example of Big Government seeking access to private passwords so they can access your accounts, web sites, customers, etc. This should be of concern to all, regardless of politics, except for those who perceive themselves to be both in power and to have a right to control others. If you have a website, image opening your site to discover that someone, maybe a government agent, has changed it or has embedded tracking codes on the site. Or maybe your email server and all your email accounts have been cracked or your online business contacts compromised. Now consider the potential damage to political candidates who are not agreeable to the incumbent or a future government leaders or to the people behind those leaders. And, what about proprietary information that is compromised, shared, or even destroyed?

By the end of the article, those of us who lived, worked and made a living off the front end of the development of the Internet and computers, may find ourselves yearning for the "old" days of paper and secured physical vaults where at least a legal warrant had to be approved by a judge and provided to us before our proprietary information and other property was invaded, taken or even vandalized.

Decades ago in the classroom, discussing the advances of technology with my students, I joined a growing number of concerned professors in asking the following type reflective questions: Is all technology good for us? Should limits be placed on its expansion? Should we be defining limits on the potential encroachment by government via technology on our property and personal rights?

The following article by Declan McCullagh is long but well worth the read. I am sure he would appreciate your comment on the original CNET site. The article is being shared in full for educational purposes under the Fair Use Doctrine. It is very apparent that the author is both concerned and wishes his information to be shared.

Feds tell Web firms to turn over user account passwords
Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.

by Declan McCullagh, CNET: The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts."This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" --Jennifer Granick, Stanford UniversityA Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.

A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: "If we receive a request from law enforcement for a user's password, we deny such requests on the grounds that they would allow overly broad access to our users' private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law."

Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.

The FBI declined to comment.

Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. "The authority of the government is essentially limitless" under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.

Large Internet companies have resisted the government's requests by arguing that "you don't have the right to operate the account as a person," according to a person familiar with the issue. "I don't know what happens when the government goes to smaller providers and demands user passwords," the person said.

An attorney who represents Internet companies said he has not fielded government password requests, but "we've certainly had reset requests -- if you have the device in your possession, than a password reset is the easier way."

Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user's original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.

Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase "National Security Agency" into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

The best practice among Silicon Valley companies is to adopt far slower hash algorithms -- designed to take a large fraction of a second to scramble a password -- that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.

One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.

But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.

As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. "I'd say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper," said Percival, who founded a company called Tarsnap Backup, which offers "online backups for the truly paranoid." Percival added that a government agency would likely use ASICs -- application-specific integrated circuits -- for password cracking because it's "the most cost-efficient -- at large scale -- approach."

While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the "cost of a hardware brute-force attack" against a hashed password as much as 4,000 times greater than bcrypt.

Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.

With the computers available today, "bcrypt won't pipeline very well in hardware," Mazières said, so it would "still be very expensive to do widespread cracking."

Even if "the NSA is asking for access to hashed bcrypt passwords," Mazières said, "that doesn't necessarily mean they are cracking them." Easier approaches, he said, include an order to extract them from the server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.

Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."

Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government -- for the government to crack passwords and use them unsupervised." If the password will be used to log in to the account, she said, that's "prospective surveillance," which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, "there's a concern that the provider is enabling unauthorized access to the user's account if they do that," Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

Orin Kerr, a law professor at George Washington University and a former federal prosecutor, disagrees. First, he said, "impersonating someone is legal" for police to do as long as they do so under under court supervision through the Wiretap Act.

Second, Kerr said, the possibility that passwords could be used to log into users' accounts is not sufficient legal grounds for a Web provider to refuse to divulge them. "I don't know how it would violate the Wiretap Act to get information lawfully only on the ground that the information might be used to commit a Wiretap violation," he said.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.

"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
-------------
Declan McCullagh is the chief political correspondent for CNET. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.

Tags: Technology, United States, Policy, Privacy, Regulation, Legal, FBI, passphrases, hash function, NSA, passwords, truecrypt, encryption, surveillance, national security agency To share or post to your site, click on "Post Link". Please mention / link to the ARRA News Service. Thanks!
Posted by Bill Smith at 3:11 PM - Post Link

1 Comments:

Anonymous Dwayne Hall said...

Sad to say it doesn't surprise me. We need educated patriots to rise up and see to it the government is made to follow the Constitution.

7/26/2013  

Post a Comment

<< Home


View U.S. National Debt

Don't miss anything!
Subscribe to the
ARRA News Service
It's FREE & No Ads!

You will receive a verification email
& must validate you subscribed!

You Then Receive One Email Each AM
With Prior Days Articles / Toons / More


Also, Join & leave conservative posts & comments on
Facebook.com/ARRANewsService


Recent Posts:
Personal Tweets by the editor:
Dr. Bill - OzarkGuru - @arra
#Christian Conservative; Retired USAF & Grad Professor. Constitution NRA ProLife schoolchoice fairtax - Editor ARRA NEWS SERVICE. THANKS FOR FOLLOWING!

Action Links!
State Upper & Lower House Members
State Attorney Generals
State Governors
The White House
US House of Representatives
US Senators
GrassFire
NumbersUSA
Ballotpedia

Facebook Accts - Dr. Bill Smith
Pages:
ARRA News Service
Arkansans Against Big Government
Alley-White Am. Legion #52
Catholics & Protestants United Against Discrimination
End Taxpayer Funding of NPR
Overturn Roe V. Wade
Prolife Soldiers
Project Wildfire 4 Life
Republican Liberty Caucus of Arkansas
The Gold Standard
US Atty Gen Loretta Lynch, aka Eric Holder, Must Go
Veterans for Sarah Palin
Why Vote for Hillary (Satire)
FB Groups:
Arkansas For Sarah Palin
Arkansas Conservative Caucus
Arkansas County Tea Party
Arkansans' Discussion Group on National Issues
Blogs for Borders
Conservative Solutions
Conservative Voices
Defend Marriage -- Arkansas
FairTax
FairTax Nation
Arkansas for FairTax
Friends of the TEA Party in Arkansas
Freedom Roundtable
Pro-Life Rocks - Arkansas
Republican Network
Republican Liberty Caucus of AR
Reject the U.N.

Patriots
Exchange
Links

Request Via
Article Comment

Links to ARRA News
A Patriotic Nurse
Agora Associates
a12iggymom's Blog
America, You Asked For It!
America's Best Choice
ARRA News Twitter
As The Crackerhead Crumbles
Blogs For Borders
Blogs for Palin
Blow the Trumpet Ministry
Boot Berryism
Cap'n Bob & the Damsel
Chicago Ray Report - Obama Regime Report
Chuck Baldwin - links
Common Cents
Conservative Voices
Diana's Corner
Greater Fitchburg For Life
Lasting Liberty Blog
Liberal Isn't Amy
Marathon Pundit
Patriot's Corner
Right on Issues that Matter
Right Reason
Rocking on the Right Side
Saber Point
Saline Watchdog
Sultan Knish
The Blue Eye View
The Born Again Americans
TEA Party Cartoons
The Foxhole | Unapologetic Patriot
The Liberty Republican
The O Word
The Path to Tyranny Blog
The Real Polichick
The War on Guns
TOTUS
Twitter @ARRA
Underground Notes
Warning Signs
Women's Prayer & Action
WyBlog

Editor's Managed Twitter Accounts
Twitter Dr. Bill Smith @arra
Twitter Arkansas @GOPNetwork
Twitter @BootBerryism
Twitter @SovereignAllies
Twitter @FairTaxNation

Editor's Recommended Orgs
Accuracy in Media (AIM)
American Action Forum (AAF)
American Committment
American Culture & Faith Institute
American Enterprise Institute
American Family Business Institute
Americans for Limited Government
Americans for Prosperity
Americans for Tax Reform
American Security Council Fdn
AR Faith & Ethics Council
Arkansas Policy Foundation
Ayn Rand Institute
Bill of Rights Institute
Campaign for Working Families
CATO Institute
Center for Individual Freedom
Center for Immigration Studies
Center for Just Society
Center for Freedom & Prosperity
Citizens Against Gov't Waste
Citizens in Charge Foundstion
Coalition for the Future American Worker
Competitive Enterprise Institute
Concerned Veterans for America
Concerned Women for America
Declaration of Am. Renewal
Eagle Forum
FairTax
Family Research Council
Family Security Matters
Franklin Center for Gov't & Public Integrity
Freedom Works
Gingrich Productions
Global Incident Map
Great Americans
Gold Standard 2012 Project
Gun Owners of America (GOA)
Heritage Action for America
David Horowitz Freedom Center
Institute For Justice
Institute for Truth in Accounting
Intercollegiate Studies Institute
Judicial Watch
Less Government
Media Reseach Center
National Center for Policy Analysis
National Right To Work Foundation
National Rifle Association (NRA)
National Rifle Association (NRA-ILA)
News Busters
O'Bluejacket's Patriotic Flicks
OathKeepers
Open Secrets
Presidential Prayer Team
Religious Freedom Coalition
Renew America
Ron Paul Institute
State Policy Network
Tax Foundation
Tax Policy Center
The Club for Growth
The Federalist
The Gold Standard Now
The Heritage Foundation
The Leadership Institute
Truth in Accounting
Union Facts



Blogs For Borders

Reject the United Nations

Presidential Prayer Team

Thousands of Deadly Islamic Terror Attacks Since 9/11


FairTax Nation on FaceBook
Friends of Israel - Stand with Israel
Blog Feeds
Syndicated - Get the ARRA News Service feed Syndicated!
ARRA Blog Feed

Add to Google Reader or Homepage

Add to The Free Dictionary

Powered by Blogger


  • To Exchange Links - Email: editor@arranewsservice.com!
  • Comments by contributing authors or other sources do not necessarily reflect the position the editor, other contributing authors, sources, readers, or commenters. No contributors, or editors are paid for articles, images, cartoons, etc. While having reported on and promoting principles & beleifs beliefs of other organizations, this blog/site is soley controlled and supported by the editor. This site/blog does not advertise for money or services nor does it solicit funding for its support.
  • Fair Use: This site/blog may contain copyrighted material the use of which has not been specifically authorized by the copyright owner. Such material is made available to advance understanding of political, human rights, economic, democracy, and social justice issues, etc. This constitutes a 'fair use' of such copyrighted material as provided for in section Title 17 U.S.C. Section 107 of the US Copyright Law. Per said section, the material on this site/blog is distributed without profit to readers to view for the expressed purpose of viewing the included information for research, educational, or satirical purposes. Any person/entity seeking to use copyrighted material shared on this site/blog for purposes that go beyond "fair use," must obtain permission from the copyright owner.
  • © 2006 - 2020 ARRA News Service
Creative Commons License
Creative Commons Attribution Noncommercial Share Alike 3.0 Unported License.