1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

DEA demanded a user's login details from LastPass

By midian182 · 23 replies
Apr 15, 2019
Post New Reply
  1. A recent report by Forbes highlights a case in which the Drug Enforcement Administration (DEA) demanded that LogMeIn, owner of LastPass, hand over logins, physical IP addresses, and communications of customer Stephan Caamano, who is charged with trafficking a counterfeit drug and money laundering.

    LastPass never gave up his login details, but it did give the DEA the IP addresses Caamano used, while also revealing the date his account was created and when it was last used. “Such information allows investigators to understand the geographic and chronological context of LastPass access, use, and events relating to the crime under investigation,” explained the application for the search warrant.

    The Champaign, Illinois, resident allegedly trafficked large quantities of pills containing alprazolam, which is sold under the trade name Xanax, according to the indictment. One of his customers said they ordered the drug from a Reddit user called “Googleplex,” who was also active on Dream Market, the dark web marketplace where everything from heroin to stolen financial data can be purchased.

    When arrested on May 29, officials discovered the LastPass extension on Caamano’s PC, leading to the demand for his login details from LogMeIn. A spokesperson for the company explained why the request could not be fulfilled: “User passwords stored on LogMeIn's servers are only done so in an encrypted format. The only way they get decrypted is on the user’s side, and the way that happens—the decryption key—is the user’s master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords.”

    Other password managers also make it difficult, if not impossible, for government agencies to access user information, though we don’t know if this is true of every service. Make sure to read the full Forbes article here.

    Permalink to story.

     
  2. Hardware Geek

    Hardware Geek TS Rookie

    LastPass - Trusted by drug kingpins everywhere since 2018.
     
  3. p51d007

    p51d007 TS Evangelist Posts: 1,865   +1,143

    As much as I hate the illegal drug market, as with any "freedoms", you have to take the bad, with the good.
    If any encrypted password manager, smartphone maker or whatever starts compromising these things, it will NOT STOP. The deep state, no matter WHAT COUNTRY, will demand and demand. Privacy is important as well as freedom. Once you start tinkering around with it, because this guy is a bad guy, where will it end?
     
    JamesSWD, Mr Majestyk, Godel and 4 others like this.
  4. Dosahka

    Dosahka TS Enthusiast Posts: 99   +40

    That's it, I owe you at least one beer!
     
    Mr Majestyk likes this.
  5. Satish Mallya

    Satish Mallya TechSpot Staff Posts: 185   +169

    "Deep State"? No, you're thinking of law enforcement.
    Not that law enforcement is immaculate and unimpeachble, but the suggestion that they're involved in some sort of conspiracy to...what, exactly? Randomly harass citizens? That's laughable, if for no other reason than that they almost certainly have better things to do with their limited resources and manpower.

    I will agree to the extent that creeping law enforcement powers of search and seizure are worrying, and antithetical to privacy and freedom.

    But 'Deep State'? Nah.
     
  6. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    While they refused to hand over the passwords (which is impossible as they were encrypted), did they hand over the encrypted password file?

    Cause while I'm sure the encryption is fairly strong, it could most certainly be broken by a powerful enough computer (which the DEA almost certainly would have access to).

    I suspect the answer is "YES" and that the passwords were then gained within a day or so...
     
  7. m3tavision

    m3tavision TS Addict Posts: 174   +116


    The DEA is not law enforcement, it is a Federal Agency. And they have a database of information, giving them your passwords just furthers their deep state.
     
  8. Godel

    Godel TS Addict Posts: 157   +75

    Assume a lowly twelve character random password and that the algorithm has no back doors, and a rate of one billion guesses per second, it would take 75 years to find the password, assuming you only have to test half the combinations before you find it.

    So I suspect the answer is "NO".
     
  9. Satish Mallya

    Satish Mallya TechSpot Staff Posts: 185   +169

    The DEA is very much a law enforcement agency. It is a federal law enforcement agency, roughly on par with the FBI.
    And they have a...database of....information. You realize that most government agencies do, right? From the USPS, to the DMV, SSA, IRS, etc.
    And your passwords further....the deep state?
    [See image] tenor (13).
     
  10. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    Why are you making those assumptions? Most passwords are 8 characters... and not random.... And they’d have more than 1 computers cranking on it at a time I’d assume....
     
  11. Hornet

    Hornet TS Rookie

    I have used Dashlane for a couple of years now and from their description of how it works it sounds the same as Lastpass. They also warn that if you forget your master password they cannot help, you have to start from scratch. I think my master password is about 20 characters long so I think in my case it might take a little more than a day or so, not that I sell anything online or have a presence on the dark web.
     
  12. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    If they really wanted it, they’d crack it.... a few dozen super computers running at the same time can crack virtually anything...
     
    JaredTheDragon likes this.
  13. Hornet

    Hornet TS Rookie

    I don't doubt they would crack it though I am not clever enough to make a guess on how long it would take but I don't think LastPass are being uncooperative, just stating fact
     
  14. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    Oh for sure.... I’m sure LastPass did everything they could.... which is all the DEA would have needed
     
  15. Podvig

    Podvig TS Rookie

    Password?? I'm sorry I forgot it due to my advanced age.
     
  16. Dosahka

    Dosahka TS Enthusiast Posts: 99   +40

    I bet you never read the documentation regarding the passwords on macOS device
    The following only applies if the laptop is encrypted and has a T2 chip in it.
    https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
    I quote from page 7:
    Also somewhat similar applies for iOS devices
    https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf

    Hope it helps clear things up.
     
  17. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    Um.... we're talking about the LastPass encrypted password file... this doesn't have anything to do with MacOS, iOS or Apple at all. Also, the article simply states that Caamano had a PC - what makes you think it's a Mac?!?!? And even if it was, it would still be irrelevant as we're talking about an encrypted password file stored in the cloud... but thanks for showing up :)

    All of this is assuming that the DEA can't get access to security flaws/backdoors as well... which they probably could...
     
  18. Dosahka

    Dosahka TS Enthusiast Posts: 99   +40

    I think you missed the point, it is not about what service or device the person had, it's about how these companies protect user data, your data.
    LastPass and other services is to give a service to protect your data without exposing it to anyone other than you.

    I was trying to point out that there is a good reason (which is hard to go against) why they don't have access to it, in fact it cots tens of millions to crack one of these passwords or devices (FBI with the terrorist's phone vs Apple), but if the device or service has simple countermeasures (wipe the device after couple tries, lock the account after a couple tries...etc)
     
  19. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    And had you bothered to read my posts, you'd understand that MY point was that in this specific case, LostPass simply said "we won't hand over the passwords - because we can't".

    What we don't know is whether LostPass DID cooperate by giving out the encrypted file hosted by their server - which the DEA could then attempt to crack on their own.

    By not revealing this information, LostPass can still claim that they are on the "side of the user", protecting their customers' rights, etc, while still not getting government organizations mad at them. In fact, I wouldn't be surprised in the least if they provided the encrypted file on the proviso that the DEA not mention that they helped at all :)

    This has nothing to do with any other OS, countermeasures, etc, hence my befuddlement at your original post.
     
  20. Barry McConnell

    Barry McConnell TS Rookie

    It's not the length of your password that's the determinant of how long it would take to decrypt the file, it's the strength of the encryption algorithm. Your master password is just a key used by the encryption system. They're using AES-256 with a one-way salted hash key with multiple iterations. Unless some 3 letter agency has perfected quantum computing without telling anyone, they can have a bank of supercomputers and they won't break that encryption in any of our lifetimes.
     
  21. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,370   +1,371

    Well, not really... you can have the strongest encryption algorithm in the world, but if your password is "123456", I'm gonna be cracking it in about 5 seconds...

    Kind of like how it doesn't matter how strong a door you have on your house - if I have the key, I'm going to get in!

    Brute force and dictionary hacking doesn't care about the encryption algorithm. If I can guess your password, I'm in :)
     
  22. p51d007

    p51d007 TS Evangelist Posts: 1,865   +1,143

    As far as I'm concerned, the DEA, FBI, CIA, NSA and all the other "alphabet" agencies are UNCONSTITUTIONAL...they are basically "federal police" which is technically in violation of the constitution because they were granted authority out of "thin air".
     
  23. m3tavision

    m3tavision TS Addict Posts: 174   +116

    For the betterment & welfare of the general populace...
    Same for the federal reserve, or how we have federal traffic signs, or any federal standards.
     
  24. pioruns

    pioruns TS Enthusiast Posts: 25

    For anyone interested, LastPass security and cryptography used has been discussed in detail by Steve Gibson in Security Now podcast.
    Transcript of whole podcast is here:
    https://www.grc.com/sn/sn-256.htm
    You can also go to his page and listen it as MP3 or go to Twit.tv page to watch video of it.
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...