The NSA wants all your passwords


We now have pretty good algorithms to encrypt our online communications. It is true that given sufficient time and computer power, some of those encryption systems can be broken but (at least as I understand it) the de-encryption has to be done separately for each individual case. This inconvenience clearly must be an irritant to those in the NSA who want to be able to more easily scoop up all telecommunication information, despite having probably the most powerful computers in the world and an army of people to do this work.

So the NSA has decided that given the almost unlimited coercive powers assumed by them in the ‘war on terror’, why go to all that trouble? Thanks to reader Marcus Ranum, I read this article that says the NSA has simply demanded that the telecommunication companies hand over their encryption master keys to them. As Declan McCullagh writes:

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.

“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

But that is not all. In another article, McCullagh says that the government is also demanding that major internet companies hand over their users’ stored passwords because password and other encryption is becoming more sophisticated.

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

For all those still opposed to what Edward Snowden did, please realize that it is only because of his sacrifice and courage that we have this growing snowball of revelations.

Comments

  1. Corvus illustris says

    …McCullagh says that the government is also demanding that major internet companies hand over their users’ stored passwords because password and other encryption is becoming more sophisticated ….

    One of the things that can be gleaned from Joseph Bonneau’s paper (pdf, linked on your “That’s gratitude for you” post), just from the discussion (though the math is interesting for the masochistic, the relevant info is in the narrative), is “how to build a better password.” It goes without saying that no one should ever trust a password-storer that isn’t in his/her head or on that quaint old memory device, paper.

    Marcus Ranum will be along to tell us how all precautions are futile.

  2. CaitieCat says

    Wow. What could Himmler have done with this level of info available? No Ann Franks, or Raoul Wallenbergs, or Shindlers, in that world.

    I wish I could say I feel safer from this because I have an international border between me and you, Prof, but honestly, having seen the thing about the NZ journalist in Afghanistan yesterday, and seeing the letters for Canada in the title of the slide…yeah. I mean, I knew about the CSIS file on me since I took Russian as an undergrad in Ottawa, and we all saw the white panel van down the street when we visited the Soviet embassy for a goodwill night (we got to see Eisenstein’s Aleksandr Nevsky), parked in a diplomatic no-parking zone with Ontario (not diplomatic) plates. A few of us waved, so they’d have nice pictures of us. They had a file on anyone taking Russian in those days, as they did on the emigré(e)s who were our teachers.

    But there’s a long road between knowing they’ve got a file, and knowing they’ve got my passwords.

  3. CaitieCat says

    Gub. Schindlers. 20 years as a translator, and I leave out the c in “sch”? Nan de baka, uchi.

  4. says

    What’s the point here? What are they trying to uncover that they can’t without passwords?

    Bank information? That’s way easier to do through the banks — no passwords needed at all. The bank doesn’t need your password to tell the NSA when and where you’ve moved money. They just need a court order.

    E-mail? Well, 99% of all e-mail isn’t encrypted, so there you go.

    Online purchases? Of what? Are they going to start following people who buy pressure cookers? Why don’t they start with people who buy … oh, say … automatic rifles and enough ammo to decimate a small town?

    Fucking priorities.

  5. Corvus illustris says

    You were thinking in Russian, where that single character for that sound that this reply-er doesn’t recognize the Unicode for is. 😎

    … I took Russian as an undergrad in Ottawa, and we all saw the white panel van down the street when we visited the Soviet embassy for a goodwill night (we got to see Eisenstein’s Aleksandr Nevsky), parked in a diplomatic no-parking zone with Ontario (not diplomatic) plates. … They had a file on anyone taking Russian in those days, as they did on the emigré(e)s who were our teachers.

    Late 1950s math students in the US were urged to learn Russian because the journals were not being massively translated then, as they now are. If it weren’t so expensive I’d be curious to FOIA my files and see if that’s in there too.

  6. sailor1031 says

    They just need a court order

    That’s the point. They don’t want to have to get one.

  7. sailor1031 says

    Because they just want to go trolling and don’t want to have to provide justification even to FISA kangaroo court because they can’t.

  8. Matt G says

    If the NSA wants my passwords, it’s going to have to pry them out of my cold, dead Evernote app.

Leave a Reply

Your email address will not be published. Required fields are marked *