The media and its misunderstanding technology

[stockhausen]

I see the Daily Mail today reporting that Facebook should "hand over" the password to a Facebook account to the police.

First of all, doesn't this set a dangerous precedent?

Second of all, how could Facebook do this? Facebook don't know the person's password, they do not store it. This is literally web security 101, NEVER store a password. What is most stunning is how the Mail don't seem to know this, when a five second Google would give you this information.

When our media doesn't even understand how technology works - including apparently how to use Google - how can they be trusted to act in our best interest?

I would imagine that the easiest way to do this would be for Facebook to force a "Redirect Password" link to some email address not owned by the Facebook Account holder?

As to the "ignorance" of the media, ask a specialist in any sector - the meeja employs school leavers to churn out click-bait, not specialists - for instance, ask any Doctor or Lawyer.

ps - Journos know how to use Google, they have Google Search and Wikipedia open full-time - trust me on that one

pps - I have just realised, you are talking about the Daily Mail - WASH YOUR HANDS!

 

[Kanpai]

Blockchain will allow such things to be a thing of the past in the future, can't come soon enough!

*Looks at Tron*

 

[peterwalkley]

He is, which is why he's been convicted under RIPA.

I stand corrected. Never knew that. I will amend my post.

 

[IronWarrior]

Facebook or any other large website is able to gain access to someones account without a password, that be standard in their admin tools for sure.

The real problem is should they be allowed?

Depending where you live, you have a right not to self-incriminate yourself.

 

[jsmoke]

Facebook or any other large website is able to gain access to someones account without a password, that be standard in their admin tools for sure.

The real problem is should they be allowed?

Depending where you live, you have a right not to self-incriminate yourself.

Not really, once the password is encrypted during registration(assuming they are following standard security protocols) they also would have to decrypt the hash if that's how they set it up.

 

[skyripper]

We've already established that "handing over the password" is not the actual problem or feasible, because it should be stored in a one-way hash.
And that the site owner (Facebook) will have methods to reset or overwrite the password if they want to.

Facebook aren't going to do that without a court order, and most likely will ignore it unless that court order is issued in a court they care about (ie. California not Croydon).
Otherwise someone will sue them [again]!

 

[Felon]

Facebook aren't going to do that without a court order, and most likely will ignore it unless that court order is issued in a court they care about (ie. California not Croydon).

Exactly.

I suppose the point is - legally, they don't have to comply with anyone other than the US DOJ, I also imagine that facebook has to deal with thousands of criminal cases every year, where evidence is buried deep inside inaccessible facebook accounts. We know that many of these west coast based tech companies are afraid of government bureaucracy and regulation, therefore - from a strategic point of view, it does make sense for Facebook to simply rely on the buffer that is the DOJ and standard judicial process, rather than cave in directly to any court or government that holds no power over it.

 

[glenimp617]

I think a few users are getting confused between "accessing someones account" and "accessing someones account information" two very different things

both of which facebook can do and neither of which requires the users password

the question I would like to know is, when a company operates in another country and has servers in that country, why are they covered under their own countries law?

 

[jsmoke]

^because it's the internets and the previous generation never really understood it or saw the significance of it hence haven't written many laws regarding it.

 

[Felon]

the question I would like to know is, when a company operates in another country and has servers in that country, why are they covered under their own countries law?

I think the main problem is, many of the laws and regulations that govern a country, take so long to develop and implement. By the time these technical behemoths practically take over the global internet, and start doing what they like - the laws that exist simply don't apply, or the people who apply them don't understand how they might apply.

There have been countless examples of how facebook's collection of data might have broken law xyz.123 in Germany, or how their retention of data might have damaged law abc.456 elsewhere, these legal cases take years and cost millions to figure out.

In my case - I help maintain global infrastructure for one of the worlds biggest eSports titles, we have servers in countries all over the globe - we actually have to modify our game content and account settings, so that it complies with the law in each country, Korea is an interesting one - where anyone wanting to play online games or watch porn, has to associate their "RRN" (resident registration number) with their online account, so anything "bad" can be tracked, if we didn't do that - I'm pretty sure we'd be blocked. So I suppose the answer is technically "yes" but how that applies to someone like facebook is anyone's guess.

 

[gord]

You can definitely crack the hash, salted or not, via rainbow tables or other methods depending on how fb have setup the encryption.

Got any more information on this? I thought a sufficiently lengthy salt makes cracking hashes unfeasible. Even with rainbow tables/supercomputer-grade brute force you'd be talking years of attempts.

 

[jimjamuk]

This ^^

 

[jimjamuk]

A quick google suggests FB uses mySQL for their platform so its just a database full of rubbish your account pulls stuff from

 

[Armageus]

I think a few users are getting confused between "accessing someones account" and "accessing someones account information" two very different things

Indeed - Password is literally just to log in.

The raw data is going to be there in the background in simple form e.g. a table full of posts, each post with a userID next to them.

A quick google suggests FB uses mySQL for their platform so its just a database full of rubbish your account pulls stuff from

Exactly - only a case of knowing which user posts etc relate to.

 

[Deleted member 77746]

Personally I think a court order should be obtained before handing over someone's password at the highest level possible only. There are valid reasons of a person in trust to hand over details.

Put yourself in a parents shoes who wants justice for a murder of their only child. People deserve this and it should be a right to this information for police to do their job correctly.

Especially when there may be evidence in an account to know what went on and even better to prosecute someone for crimes.

 

[jsmoke]

Got any more information on this? I thought a sufficiently lengthy salt makes cracking hashes unfeasible. Even with rainbow tables/supercomputer-grade brute force you'd be talking years of attempts.

It does yes even if you know the salt, I did say that they are decryptable with serious computing power not that it's realistic unless you get it with a dictionary attack.

Which begs the question how are the NSA able to demand passwords from fb and hotmail unless they have a backdoor such as storing the password in plain text.

 

[Mynight]

Surely people are over complicating this. It doesn't matter what state the password is in if Facebook can access their own databases. They just have to swap out the hash and give the new one to the police no? 2FA must be a database entry as well can't imagine it's that hard to turn off.

There's no need for cracking when you can actually edit the data.

(Ignoring the legal side)

 

[antijoke]

In this thread people who know nothing about internet security mouth off about how easy things are.

 

[Christmas themed thank]

In this thread people who know nothing about internet security mouth off about how easy things are.

Was my whole point originally but everyone seems to have ignored it. Go figure.

 

[antijoke]

Was my whole point originally but everyone seems to have ignored it. Go figure.

It’s funny reading the posts. I got your point.

I’m also not sure why people think they have servers in the UK, when I don’t believe they do.