DEA demanded a user's login details from LastPass

midian182

TechSpot Editor
Staff member

A recent report by Forbes highlights a case in which the Drug Enforcement Administration (DEA) demanded that LogMeIn, owner of LastPass, hand over logins, physical IP addresses, and communications of customer Stephan Caamano, who is charged with trafficking a counterfeit drug and money laundering.

LastPass never gave up his login details, but it did give the DEA the IP addresses Caamano used, while also revealing the date his account was created and when it was last used. “Such information allows investigators to understand the geographic and chronological context of LastPass access, use, and events relating to the crime under investigation,” explained the application for the search warrant.

The Champaign, Illinois, resident allegedly trafficked large quantities of pills containing alprazolam, which is sold under the trade name Xanax, according to the indictment. One of his customers said they ordered the drug from a Reddit user called “Googleplex,” who was also active on Dream Market, the dark web marketplace where everything from heroin to stolen financial data can be purchased.

When arrested on May 29, officials discovered the LastPass extension on Caamano’s PC, leading to the demand for his login details from LogMeIn. A spokesperson for the company explained why the request could not be fulfilled: “User passwords stored on LogMeIn's servers are only done so in an encrypted format. The only way they get decrypted is on the user’s side, and the way that happens—the decryption key—is the user’s master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords.”

Other password managers also make it difficult, if not impossible, for government agencies to access user information, though we don’t know if this is true of every service. Make sure to read the full Forbes article here.

Permalink to story.

 

p51d007

TS Evangelist
As much as I hate the illegal drug market, as with any "freedoms", you have to take the bad, with the good.
If any encrypted password manager, smartphone maker or whatever starts compromising these things, it will NOT STOP. The deep state, no matter WHAT COUNTRY, will demand and demand. Privacy is important as well as freedom. Once you start tinkering around with it, because this guy is a bad guy, where will it end?
 

Dosahka

TS Addict
As much as I hate the illegal drug market, as with any "freedoms", you have to take the bad, with the good.
If any encrypted password manager, smartphone maker or whatever starts compromising these things, it will NOT STOP. The deep state, no matter WHAT COUNTRY, will demand and demand. Privacy is important as well as freedom. Once you start tinkering around with it, because this guy is a bad guy, where will it end?
That's it, I owe you at least one beer!
 
  • Like
Reactions: Mr Majestyk

Satish Mallya

TechSpot Staff
Staff
As much as I hate the illegal drug market, as with any "freedoms", you have to take the bad, with the good.
If any encrypted password manager, smartphone maker or whatever starts compromising these things, it will NOT STOP. The deep state, no matter WHAT COUNTRY, will demand and demand. Privacy is important as well as freedom. Once you start tinkering around with it, because this guy is a bad guy, where will it end?
"Deep State"? No, you're thinking of law enforcement.
Not that law enforcement is immaculate and unimpeachble, but the suggestion that they're involved in some sort of conspiracy to...what, exactly? Randomly harass citizens? That's laughable, if for no other reason than that they almost certainly have better things to do with their limited resources and manpower.

I will agree to the extent that creeping law enforcement powers of search and seizure are worrying, and antithetical to privacy and freedom.

But 'Deep State'? Nah.
 

Squid Surprise

TS Evangelist
While they refused to hand over the passwords (which is impossible as they were encrypted), did they hand over the encrypted password file?

Cause while I'm sure the encryption is fairly strong, it could most certainly be broken by a powerful enough computer (which the DEA almost certainly would have access to).

I suspect the answer is "YES" and that the passwords were then gained within a day or so...
 

m3tavision

TS Evangelist
As much as I hate the illegal drug market, as with any "freedoms", you have to take the bad, with the good.
If any encrypted password manager, smartphone maker or whatever starts compromising these things, it will NOT STOP. The deep state, no matter WHAT COUNTRY, will demand and demand. Privacy is important as well as freedom. Once you start tinkering around with it, because this guy is a bad guy, where will it end?
"Deep State"? No, you're thinking of law enforcement.
Not that law enforcement is immaculate and unimpeachble, but the suggestion that they're involved in some sort of conspiracy to...what, exactly? Randomly harass citizens? That's laughable, if for no other reason than that they almost certainly have better things to do with their limited resources and manpower.

I will agree to the extent that creeping law enforcement powers of search and seizure are worrying, and antithetical to privacy and freedom.

But 'Deep State'? Nah.

The DEA is not law enforcement, it is a Federal Agency. And they have a database of information, giving them your passwords just furthers their deep state.
 

Godel

TS Addict
While they refused to hand over the passwords (which is impossible as they were encrypted), did they hand over the encrypted password file?

Cause while I'm sure the encryption is fairly strong, it could most certainly be broken by a powerful enough computer (which the DEA almost certainly would have access to).

I suspect the answer is "YES" and that the passwords were then gained within a day or so...
Assume a lowly twelve character random password and that the algorithm has no back doors, and a rate of one billion guesses per second, it would take 75 years to find the password, assuming you only have to test half the combinations before you find it.

So I suspect the answer is "NO".
 

Satish Mallya

TechSpot Staff
Staff
The DEA is not law enforcement, it is a Federal Agency. And they have a database of information, giving them your passwords just furthers their deep state.
The DEA is very much a law enforcement agency. It is a federal law enforcement agency, roughly on par with the FBI.
And they have a...database of....information. You realize that most government agencies do, right? From the USPS, to the DMV, SSA, IRS, etc.
And your passwords further....the deep state?
[See image]tenor (13).gif
 

Squid Surprise

TS Evangelist
Assume a lowly twelve character random password and that the algorithm has no back doors, and a rate of one billion guesses per second, it would take 75 years to find the password, assuming you only have to test half the combinations before you find it.

So I suspect the answer is "NO".
Why are you making those assumptions? Most passwords are 8 characters... and not random.... And they’d have more than 1 computers cranking on it at a time I’d assume....
 

Hornet

TS Rookie
While they refused to hand over the passwords (which is impossible as they were encrypted), did they hand over the encrypted password file?

Cause while I'm sure the encryption is fairly strong, it could most certainly be broken by a powerful enough computer (which the DEA almost certainly would have access to).

I suspect the answer is "YES" and that the passwords were then gained within a day or so...
I have used Dashlane for a couple of years now and from their description of how it works it sounds the same as Lastpass. They also warn that if you forget your master password they cannot help, you have to start from scratch. I think my master password is about 20 characters long so I think in my case it might take a little more than a day or so, not that I sell anything online or have a presence on the dark web.
 

Squid Surprise

TS Evangelist
I have used Dashlane for a couple of years now and from their description of how it works it sounds the same as Lastpass. They also warn that if you forget your master password they cannot help, you have to start from scratch. I think my master password is about 20 characters long so I think in my case it might take a little more than a day or so, not that I sell anything online or have a presence on the dark web.
If they really wanted it, they’d crack it.... a few dozen super computers running at the same time can crack virtually anything...
 
  • Like
Reactions: JaredTheDragon

Hornet

TS Rookie
If they really wanted it, they’d crack it.... a few dozen super computers running at the same time can crack virtually anything...
I don't doubt they would crack it though I am not clever enough to make a guess on how long it would take but I don't think LastPass are being uncooperative, just stating fact
 

Squid Surprise

TS Evangelist
I don't doubt they would crack it though I am not clever enough to make a guess on how long it would take but I don't think LastPass are being uncooperative, just stating fact
Oh for sure.... I’m sure LastPass did everything they could.... which is all the DEA would have needed
 

Dosahka

TS Addict
If they really wanted it, they’d crack it.... a few dozen super computers running at the same time can crack virtually anything...
I bet you never read the documentation regarding the passwords on macOS device
The following only applies if the laptop is encrypted and has a T2 chip in it.
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
I quote from page 7:
To prevent brute-force attacks, when Mac boots, no more than 30 password
attempts are allowed at the Login Window or via Target Disk Mode, and
escalating time delays are imposed after incorrect attempts. The delays are
enforced by the Secure Enclave coprocessor on the T2 chip. If Mac is restarted
during a timed delay, the delay is still enforced, with the timer starting over for
the current period.
To prevent malware from causing permanent data loss by trying to attack the
user’s password, these limits are not enforced after the user has successfully
logged into the Mac, but will be reimposed after reboot. If the 30 attempts are
exhausted, 10 more attempts are available after booting into macOS Recovery.
And if those are also exhausted, then 60 additional attempts are available for
each enabled FileVault recovery mechanism (iCloud recovery, FileVault recovery
key, and institutional key), for a maximum of 180 additional attempts. Once
those additional attempts are exhausted, the Secure Enclave will no longer
process any requests to decrypt the volume or verify the password, and the
data on the drive becomes unrecoverable.
Also somewhat similar applies for iOS devices
https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf

Hope it helps clear things up.
 

Squid Surprise

TS Evangelist
I bet you never read the documentation regarding the passwords on macOS device
The following only applies if the laptop is encrypted and has a T2 chip in it.
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
I quote from page 7:

Also somewhat similar applies for iOS devices
https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf

Hope it helps clear things up.
Um.... we're talking about the LastPass encrypted password file... this doesn't have anything to do with MacOS, iOS or Apple at all. Also, the article simply states that Caamano had a PC - what makes you think it's a Mac?!?!? And even if it was, it would still be irrelevant as we're talking about an encrypted password file stored in the cloud... but thanks for showing up :)

All of this is assuming that the DEA can't get access to security flaws/backdoors as well... which they probably could...
 

Dosahka

TS Addict
Um.... we're talking about the LastPass encrypted password file... this doesn't have anything to do with MacOS, iOS or Apple at all. Also, the article simply states that Caamano had a PC - what makes you think it's a Mac?!?!? And even if it was, it would still be irrelevant as we're talking about an encrypted password file stored in the cloud... but thanks for showing up :)

All of this is assuming that the DEA can't get access to security flaws/backdoors as well... which they probably could...
I think you missed the point, it is not about what service or device the person had, it's about how these companies protect user data, your data.
LastPass and other services is to give a service to protect your data without exposing it to anyone other than you.

I was trying to point out that there is a good reason (which is hard to go against) why they don't have access to it, in fact it cots tens of millions to crack one of these passwords or devices (FBI with the terrorist's phone vs Apple), but if the device or service has simple countermeasures (wipe the device after couple tries, lock the account after a couple tries...etc)
 

Squid Surprise

TS Evangelist
I think you missed the point, it is not about what service or device the person had, it's about how these companies protect user data, your data.
LastPass and other services is to give a service to protect your data without exposing it to anyone other than you.

I was trying to point out that there is a good reason (which is hard to go against) why they don't have access to it, in fact it cots tens of millions to crack one of these passwords or devices (FBI with the terrorist's phone vs Apple), but if the device or service has simple countermeasures (wipe the device after couple tries, lock the account after a couple tries...etc)
And had you bothered to read my posts, you'd understand that MY point was that in this specific case, LostPass simply said "we won't hand over the passwords - because we can't".

What we don't know is whether LostPass DID cooperate by giving out the encrypted file hosted by their server - which the DEA could then attempt to crack on their own.

By not revealing this information, LostPass can still claim that they are on the "side of the user", protecting their customers' rights, etc, while still not getting government organizations mad at them. In fact, I wouldn't be surprised in the least if they provided the encrypted file on the proviso that the DEA not mention that they helped at all :)

This has nothing to do with any other OS, countermeasures, etc, hence my befuddlement at your original post.
 
It's not the length of your password that's the determinant of how long it would take to decrypt the file, it's the strength of the encryption algorithm. Your master password is just a key used by the encryption system. They're using AES-256 with a one-way salted hash key with multiple iterations. Unless some 3 letter agency has perfected quantum computing without telling anyone, they can have a bank of supercomputers and they won't break that encryption in any of our lifetimes.
 

Squid Surprise

TS Evangelist
It's not the length of your password that's the determinant of how long it would take to decrypt the file, it's the strength of the encryption algorithm. Your master password is just a key used by the encryption system. They're using AES-256 with a one-way salted hash key with multiple iterations. Unless some 3 letter agency has perfected quantum computing without telling anyone, they can have a bank of supercomputers and they won't break that encryption in any of our lifetimes.
Well, not really... you can have the strongest encryption algorithm in the world, but if your password is "123456", I'm gonna be cracking it in about 5 seconds...

Kind of like how it doesn't matter how strong a door you have on your house - if I have the key, I'm going to get in!

Brute force and dictionary hacking doesn't care about the encryption algorithm. If I can guess your password, I'm in :)
 

p51d007

TS Evangelist
The DEA is not law enforcement, it is a Federal Agency. And they have a database of information, giving them your passwords just furthers their deep state.
As far as I'm concerned, the DEA, FBI, CIA, NSA and all the other "alphabet" agencies are UNCONSTITUTIONAL...they are basically "federal police" which is technically in violation of the constitution because they were granted authority out of "thin air".
 

m3tavision

TS Evangelist
As far as I'm concerned, the DEA, FBI, CIA, NSA and all the other "alphabet" agencies are UNCONSTITUTIONAL...they are basically "federal police" which is technically in violation of the constitution because they were granted authority out of "thin air".
For the betterment & welfare of the general populace...
Same for the federal reserve, or how we have federal traffic signs, or any federal standards.
 

pioruns

TS Enthusiast
For anyone interested, LastPass security and cryptography used has been discussed in detail by Steve Gibson in Security Now podcast.
Transcript of whole podcast is here:
https://www.grc.com/sn/sn-256.htm
You can also go to his page and listen it as MP3 or go to Twit.tv page to watch video of it.