My Adorable Sweetie pie
– Mark Twain
The pessimist sees difficulty in every opportunity. The optimist sees the opportunity in every difficulty.
– Winston Churchill
Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.
he U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.
If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.
“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”
A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”
Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: “No, we don’t, and we can’t see a circumstance in which we would provide it.”
Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has “never” turned over a user’s encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. “We take the privacy and security of our users very seriously,” the spokesperson said.
A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: “If we receive a request from law enforcement for a user’s password, we deny such requests on the grounds that they would allow overly broad access to our users’ private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law.”
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users’ passwords and how they would respond to them.
Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn’t recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, “we don’t get a high volume” of U.S. government demands.
The FBI declined to comment.
Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. “The authority of the government is essentially limitless” under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.
Large Internet companies have resisted the government’s requests by arguing that “you don’t have the right to operate the account as a person,” according to a person familiar with the issue. “I don’t know what happens when the government goes to smaller providers and demands user passwords,” the person said.
An attorney who represents Internet companies said he has not fielded government password requests, but “we’ve certainly had reset requests — if you have the device in your possession, than a password reset is the easier way.”
Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user’s original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.
Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase “National Security Agency” into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.
But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.
The best practice among Silicon Valley companies is to adopt far slower hash algorithms — designed to take a large fraction of a second to scramble a password — that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.
One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.
But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.
As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. “I’d say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper,” said Percival, who founded a company called Tarsnap Backup, which offers “online backups for the truly paranoid.” Percival added that a government agency would likely use ASICs — application-specific integrated circuits — for password cracking because it’s “the most cost-efficient — at large scale — approach.”
While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the “cost of a hardware brute-force attack” against a hashed password as much as 4,000 times greater than bcrypt.
Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google’s infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.
With the computers available today, “bcrypt won’t pipeline very well in hardware,” Mazières said, so it would “still be very expensive to do widespread cracking.”
Even if “the NSA is asking for access to hashed bcrypt passwords,” Mazières said, “that doesn’t necessarily mean they are cracking them.” Easier approaches, he said, include an order to extract them from the server or network when the user logs in — which has been done before — or installing a keylogger at the client.
Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.
“This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?” said Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. “I don’t know.”
Granick said she’s not aware of any precedent for an Internet company “to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised.” If the password will be used to log in to the account, she said, that’s “prospective surveillance,” which would require a wiretap order or Foreign Intelligence Surveillance Act order.
If the government can subsequently determine the password, “there’s a concern that the provider is enabling unauthorized access to the user’s account if they do that,” Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.
The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.
The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors’ demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man “could not be compelled to decrypt the drives.”
In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.
Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation — and don’t address when a hashed password is stored on the servers of a company that’s an innocent third party.
“If you can figure out someone’s password, you have the ability to reuse the account,” which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
As published on http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/
The US government’s National Telecommunications and Information Administration today issued its first draft of what will be a mobile apps code of conduct intended to better protect consumers and their privacy. If made final, policy states that publishers must provide consumers with “short-form” notices in multiple languages informing them of how their data is being used.
After soliciting feedback from privacy, civil liberties, and consumer advocates, along with app developers and publishers, and mobile ecosystem representatives, the NTIA sought to help make mobile apps more transparent to their end users. The idea was spurred on by President Obama’s need to enact an online privacy “bill of rights” (which is somewhat ironic given the NSA’s recently revealed surveillance program).
As listed in the draft code of conducts, the NTIA states that “where practicable, app developers are encouraged to provide consumers with access to the short notice prior to download or purchase of the app.” It stresses that this process is entirely voluntary, but those app developers that comply must list in their short notice four things:
(a) the collection of types of data listed in SectionII.A whether or not consumers know that it is being collected;
(b) a means of accessing a long-form privacy policy, if any exists;
(c) the sharing of user-specific data, if any, with third-parties listed in Section II.B as defined below; and
(d) the identity of the entity providing the app.
Just so that there’s no doubt about what “data” means, the government entity specifically says it includes biometrics, browser history, phone or text log, contacts, financial info, health, medical, or therapy info, location, and user files.
However, there is an exception to the short-form notice. If the data is actively submitted by the user through an open field voluntarily, then it appears to be fair game. Also, if an app “as one of its functions” has in-app purchasing and does not otherwise passively collect financial information without advance consumer notice, then the app creator is in the clear — but only if the consumer’s purchase doesn’t constitute a material change from the app’s original short-form notice.
The NTIA goes a bit deeper into exceptions to the rule, saying that short-form notices aren’t needed when collecting or sharing unidentifiable data as long as “reasonable steps” are taken to disassociate it from the owners. What is a “reasonable step”?
US Assistant Secretary of Commerce for Communications and Information and NTIA Administrator Lawrence Strickling issued a statement after the draft was released, heaping praise on the agency’s success:
NTIA is pleased that today a diverse group of stakeholders reached a seminal milestone in the efforts to enhance consumer privacy on mobile devices. We encourage all the companies that participated in the discussion to move forward to test the code with their consumers.
The American Civil Liberties Union (ACLU) has come out in support of the policy calling it a “modest but important step forward” for consumer privacy. However, it wasn’t all praise, as the organization’s legislative counsel Christopher Calabrese said, “The fact that it took a year to come to agreement on just this single measure, however, makes it clear that we need comprehensive privacy legislation in order to gain meaningful privacy protections for consumers. After all, we should be able to enjoy cool new technologies without giving up our privacy.”
The NTIA has not specified what its next steps are, but it probably wouldn’t be far-fetched to believe it will track developer feedback and consumer reaction for an undetermined period of time. Hopefully it won’t take another year for this to move to the next phase.
As published on http://thenextweb.com/insider/2013/07/26/us-telecom-agency-issues-draft-mobile-app-code-of-conduct-with-guidelines-for-user-data-collection/
Recently, Michael Skok wrote that “open source is eating the software world.” As general partner at North Bridge Venture Partners, Skok should know. He’s witnessed the power of open source as an entrepreneur and VC. And he’s seen the positive, long-term adoption trends revealed by the annual “Future of Open Source” survey sponsored by his firm and others.
While not entirely hyperbole, Skok’s claim raises a fundamental question: Should you let open source eat your software world? Maybe.
If you’re an ISV or if software development is central to your company, some degree of open source adoption is almost a foregone conclusion. But if software development is not a core competency for your company, then using commercial software may still make sense.
In the spirit of full disclosure, my company develops commercial software. We are also one of the vendors who’d get displaced if IT departments decided to replace packaged IT management software with freely-available, open source alternatives. So I’ve got a dog in this fight, so to speak. I’m just not convinced that this particular fight is “winner takes all.” Here’s why.
Build or Buy – You Pay Either Way
As suggested above, not everyone has the desire or the skills to support, maintain and even enhance a software solution. And that’s what you’re doing with open source: You’re responsible for maintaining, enhancing and customizing the application to meet your needs.
Think of commercial software as a house and open source software as everything you need to build a house — raw lumber, nails, sheet rock, windows, plumbing fixtures and the rest. You can spend your money and buy the house, or you can spend your time and build the house. Either way, you pay for your house.
Like a do-it-yourself house, you are on your own if something goes wrong with your homegrown, open source application. Yes, you’ll find plenty of free help online. Too much help, perhaps, and that may lead to one or more wild goose chases as you hunt down and fix the problem yourself (think many, many trips to the Home Depot). But that’s a key dividing line between buying commercial software and building your open source solution.
Free, open source software may be a cost-effective alternative on the front end of an application development project, but you’ve got to factor in the costs of the ongoing maintenance and support as well as the up-front development to get the project’s true cost — not to mention business risk.
Swapping Application Lock-in for Vendor Lock-in
One of the chief advantages of open source software is that it frees you from vendor lock-in, which makes it extremely difficult and expensive to switch off a vendors’ proprietary commercial app. In fact, “freedom from vendor lock-in” ranked as the number one reason to adopt open source software in the 2011 and 2012 Future of Open Source surveys. In the 2013 survey, “freedom from vendor lock-in” was number two, edged out by “better quality software” in the number one slot.
Am I going to argue in favor of lock-in? No, but you’re still locked in with open source software, just not to the vendor. With open source, you’re locked in to your app. After you’ve opted for an open source app, it’s up to you to provide ongoing maintenance, upgrades and troubleshooting, as well as any needed end-user support. Congratulations! You’re now a software vendor. The high switching costs of commercial apps are now replaced by the high costs of supporting open source apps.
Bottom line, open source may be “eating the software world,” but not all of it. For ISVs and other software development professionals, open source is a no-brainer. We use it in development and in our commercial products wherever and whenever it makes sense. It is free, after all, and the quality is second to none, as this year’s Future of Open Source survey reinforces.
But software pros have resources in place to support their open source efforts. Your organization may not be so lucky, or it may not be interested in putting them in place. After all, not every company has acquired an appetite for open source.
As published on http://www.forbes.com/sites/rajsabhlok/2013/07/18/open-source-software-the-hidden-cost-of-free/
Vision Critical’s recently published study, From Social to Sale provides some answers to exactly how a company’s social media strategy could be tailored to drive sales. Using interviews from almost 6,000 participants, the company evaluated social media purchasing against participation in Twitter, Facebook and Pinterest.
The top line findings:
About 40% of social media users have purchased an item after sharing or “favoriting” it on these sites. (The company uses “Shared or Favorited” to mean pinned/repinned/liked on Pinterest; shared/liked/commented on Facebook; tweeted/retweeted or favorite on Twitter.)
Facebook is the network most likely to drive customers to purchase.
Social media drives not just online purchasing, but in-store purchasing as well – and at about equal rates.
courtesy of Vision Critical
“One of the more surprising findings in this whole research for me,” the study’s co-author Alexandra Samuel, Vice-President of Social Media at Vision Critical, said in an interview, “was to see how significant that in-store purchasing is. This is one of those really not intuitive findings.”
She continues, “And just that recognition that you are not getting the whole story on social from tracking social to ecommerce conversions is a huge finding. If you are estimating the ROI on social by looking at social to web, you are missing roughly half your social-inspired purchasing.”
The high volume of ex ante signaling that happens as part of the purchase consideration was also not intuitive, Samuel says. And so the current study she sees as “a call to arms” about companies gathering information to know why this might happen. “You don’t want to miss the most important piece. What was the relationship there? What was it about tweeting the product that lead them to your store? Was it just an accident? Was it a signal that they were literally walking into your store? Was it because they got feedback from their friends? How much of an influence did that sharing have on your ultimate purchase decision?”
Conversion rates are the bread and butter of advertising and promotion spending wherever they exist. So one big disappointment of the work so far is the lack of information on any kind of actual conversion rate, establishing how often the sharer of a particular item converts to be a purchaser of that item. Samuel says that conversion information will always be extremely difficult to get at, even with evolving research tools. “If you ask people how many cars they’ve pinned or tweeted before they bought their car, they would have an idea. But the number of instances vary so much by product category. I mean, if you asked me how many pairs of boots I’ve pinned in the past year, not only would I be ashamed to tell you the number, but I don’t really know.”
Media companies will take away different lessons from this research than brands or retailers do, says Samuel. “So if you are Lowes or Wal-Mart, you need to figure out how to drive people from your site to share something social and then bring that back into the store. That is a different challenge then if you are Fox and you are trying to provide a valuable advertising environment, figuring out how can social extend the brand experience around its TV shows.” She continues, “The smartest media companies are seeing social not as a competing medium, but as an extending medium. They help their viewers engage with advertisers and are figuring out how they can help them make that journey from social to purchase.”
As published on http://www.forbes.com/sites/avaseave/2013/07/22/how-social-media-moves-consumers-from-sharing-to-purchase/
“I am.” is the shortest complete sentence in the English language & “I Am that I Am” response God used in the Hebrew Bible when Moses asked for his name (Exodus 3:14). It is one of the most famous verses in the Torah.
.. Don’t waste on them for whom you are of no priority and everything in the world is “me” .. in short selfish!
Iran is creating the building blocks of a state-controlled internet, and its next major effort appears to be email. Reuters reports that Iran is planning to dole out a government-run email address to each of its citizens and to use the addresses as a way to communicate with them. While that would give the Iranian government a fairly progressive means of communicating with its people, the continued worry is that the state will only use it as another way of monitoring their private lives. Iran is promising to maintain privacy within the service, though full details haven’t been revealed.
Reuters reports that data centers are now being set up throughout Iran to handle traffic for the new service, which will be located at mail.post.ir. Though it’s a sign that Iran is continuing toward a closed, censored internet, the country’s incoming president may be less keen on such plans. According to Mehr News Agency, president-elect Hassan Rouhani said that he believes strong government “does not interfere in the people’s private lives.” It could mean a turn of events when he takes office in August, but for now, Iranian citizens must continue to deal with increased efforts to regulate their internet access.
As published on http://www.theverge.com/2013/7/8/4504510/iran-creating-state-run-email-service-for-all-citizens
::: Shailendra Nair ::: 
You must be logged in to post a comment.