The Walls Are Cracking: New Report Alleges FBI, NSA Demand Passwords, Security Data When Spying On Users
In short, having access to this information is a huge deal -- and if these allegations are true, the government has no qualms about demanding it. Again, Google, Yahoo, and other companies have trotted out representatives to claim they push back hard against these sorts of demands, and again, all the evidence suggests their pushing back is irrelevant. FISA warrants can't be challenged in court, which means the practical results of such a challenge are as follows:
FBI/NSA: "We want this information."
Yahoo, etc: "Get a warrant."
FBI/NSA: "Here you go."
Yahoo, etc: "Here's your data."
The CNET article that originally explores this topic, unfortunately, departs into left field at this point, implying that because websites liked LinkedIn and Twitter use a difficult hashing algorithm called bcrypt, it would be extremely expensive for the NSA to brute-force these passwords. The current estimate for the cost of brute-forcing a 10-character password in a single day is about $60 million dollars -- not the $1.2 billion originally estimated in 2009.
Original image courtesy of Ars Technica
Not only is it well within the NSA's capability to build a $60 million dollar computer dedicated to password cracking, empirical evidence shows it's not necessary. When LinkedIn password hashes leaked earlier this year, upwards of 100 million of them had been cracked in days. Not by brute-force -- that's the stupid, difficult, work of last resort. Instead, hackers used sophisticated hybrid attack methods that blend dictionary approaches and password-cracking rules with "try everything and see what works" algorithms. Combine that with off-the-shelf GPU hardware, and the reality is that very few passwords would take anything like that much cash to crack.
It's not that this situation fundamentally changes what we knew about the NSA's powers, it just further illustrates how completely the government's spying has infiltrated American life. The first attempt to defund the NSA's operations failed this week, but it failed narrowly; impetus for a fundamental overhaul of how the NSA does business is still growing in Congress. With multiple requests to the government for more disclosures still pending, it's encouraging to see information like this leaking out -- it's the only way to chip apart the culture of secrecy that's ossified in the 12 years since 9/11.