Gay Athletes Could Be Prosecuted at 2014 Winter Olympics, Russian Lawmaker Suggests

Now this is taking things just a bit too far-and that’s putting it mildly. Whether you are supportive of the lifestyle or despise it, being put in jail over it is a step that is way over the line. Every time I think I’ve seen it all, there’s something else to surprise me.

 

By  (@KiritRadia_ABC)

MOSCOW July 31, 2013

 

In Russia it is now illegal to even speak about homosexuality around minors, much less openly display gay pride. Technically the ban is against “propaganda of nontraditional sexual relations” around minors, but the implication for openly gay individuals is clear. Public displays of affection by gays, including holding hands or displaying symbols like a rainbow flag, are now banned. Violators face steep fines and jail time; foreigners face similar penalties plus deportation.

So what will happen to openly gay athletes and fans, as well as any vocal supporters or protestors, when Russia hosts the Winter Olympics next year in Sochi?

This week, comments by a lawmaker from St. Petersburg set off a firestorm online when he said that fans and athletes would not be immune from prosecution during the games.

Vitaly Milonov, who sponsored legislation in St. Petersburg last year that became the basis for a national law signed by President Vladimir Putin in June, was quoted telling the Interfax news agency that the law will remain in place during the Olympics and will be applied to foreigners.

“If a law has been approved by the federal legislature and signed by the president, then the government has no right to suspend it. It doesn’t have the authority,” he reportedly said, stressing that he has not heard anything different from Russian officials.

It is worth noting, however, that Milonov is only a regional lawmaker and is not a member of the federal government or the national legislature. But he has been on the forefront of Russia’s war against homosexuality. Last summer hethreatened to fine pop star Madonna for violating the law after she spoke out against it from the stage during a concert in St. Petersburg.

The International Olympic Committee appears only cautiously optimistic that the games will be safe for gay athletes and fans, noting that it has sought assurances from Russian authorities.

“This legislation has just been passed into law and it remains to be seen whether and how it will be implemented, particularly as regards the Games in Sochi,” the IOC said in an emailed statement to ABC News.

“The IOC has received assurances from the highest level of government in Russia that the legislation will not affect those attending or taking part in the Games,” the statement continued.

The IOC said it continues to urge that the games “take place without discrimination against athletes, officials, spectators and the media.”

The U.S. Olympic committee recently sent a letter to American athletes warning them about the law, but stressing, “We do not know how and to what extent they will be enforced during the Olympic and Paralympic Games.”

The USOC says they are doing what they can to ensure the safety of all Americans at the Games.

“We are aware of these laws and are engaged in active discussions with the International Olympic Committee and the US State Department about how we can ensure that every American in Sochi, especially our athletes, are safe and secure,” the letter continues.

At least one athlete, openly gay New Zealand speed skater Blake Skjellerup, has already pledged to wear a rainbow pin during the games

Anti-gay sentiment runs high in Russia, where homosexuality was illegal during the Soviet Union and only decriminalized in 1993. A law that sent homosexuals to psychiatric wards wasn’t annulled until 1999. Petitions for gay pride parades in Moscow have been rejected and unsanctioned rallies are often met by egg-throwing Russian Orthodox believers as well as physical violence. Police are often seen ignoring the attacks, and they often detain the gay rights activists.

In recent months, a new trend of attacks has gained popularity on Russian social media. Groups lure gay men online into meeting them in person, then humiliate and attack them on camera. They post the images and videos online under a hashtag that translates as “Occupy Pedophilia.”

The U.S. has not yet issued any specific warning to gay Americans traveling to Russia. The State Department’s informational page about Russia, however, notes the law and the dangers faced by those who are openly gay in Russia.

“Discrimination based on sexual orientation is widespread in Russia. Harassment, threats, and acts of violence targeting LGBT individuals have occurred,” the page notes. “Public actions (including dissemination of information, statements, displays, or perceived conspicuous behavior) contradicting or appearing to contradict such laws may lead to arrest, prosecution, and the imposition of a fine.”

The concern about discrimination against foreigners attending the Olympics comes amid a renewed effort abroad to pressure Russia about the new anti-gay law, including calls for boycott of the games as well as of Russian products.

Influential gay activist Dan Savage last week called onsupporters to stop buying Stolichnaya and Russian Standard, two major Russian vodka labels, and to urge bars and restaurants to do the same, coining the hashtag #DumpStoli.

Leading Russian gay activist Nikolai Alexeyev, however, said he did not think the vodka ban will be effective since Stolichnaya consumed overseas is both bottled and based outside Russia.

“To be honest, I don’t see the point in boycotting the Russian vodka,” he said, according to Gay Star News.

“It will impact anyone except the companies involved a little bit. The effect will die out very fast, it will not last forever,” Alexeyev said.

Stolichnaya is produced by a Russian company for domestic consumption and by Luxembourg-based SPI Group for sale in more than 100 countries abroad. The overseas product is made from Russian ingredients, but bottled in Latvia.

In response, the company’s website has highlighted its longstanding support for gay rights, including a banner image on its Facebook pagestating “Stolichnaya Premium Vodka stands strong & proud with the global LGBT community against the attitude & actions of the Russian government.”

Calls for a full boycott of the games have been few thus far, but some activists, including the group Human Rights Campaign, are urging NBC, which will air the games in the United States, to include stories about the anti-gay law in its coverage.

Mark Lazarus, the head of NBC Sports, has promised that if the law impacts any part of the Winter Games, “we will make sure we are acknowledging it and recognizing it,” according to the Guardian.

Feds tell Web firms to turn over user account passwords

per cnet.com

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.

 

(Credit: Photo illustration by James Martin/CNET)

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

“I’ve certainly seen them ask for passwords,” said one Internet industry source who spoke on condition of anonymity. “We push back.”

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies “really heavily scrutinize” these requests, the person said. “There’s a lot of ‘over my dead body.'”

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

“This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?”
–Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: “No, we don’t, and we can’t see a circumstance in which we would provide it.”

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has “never” turned over a user’s encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. “We take the privacy and security of our users very seriously,” the spokesperson said.

Apple, Yahoo, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users’ passwords and how they would respond to them.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn’t recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, “we don’t get a high volume” of U.S. government demands.

The FBI declined to comment.

Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. “The authority of the government is essentially limitless” under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.

Large Internet companies have resisted the government’s requests by arguing that “you don’t have the right to operate the account as a person,” according to a person familiar with the issue. “I don’t know what happens when the government goes to smaller providers and demands user passwords,” the person said.

An attorney who represents Internet companies said he has not fielded government password requests, but “we’ve certainly had reset requests — if you have the device in your possession, than a password reset is the easier way.”

 

Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.

(Credit: Photo by Declan McCullagh)

 

Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user’s original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.

Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase “National Security Agency” into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

The best practice among Silicon Valley companies is to adopt far slower hash algorithms — designed to take a large fraction of a second to scramble a password — that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.

One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.

But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.

As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. “I’d say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper,” said Percival, who founded a company called Tarsnap Backup, which offers “online backups for the truly paranoid.” Percival added that a government agency would likely use ASICs — application-specific integrated circuits — for password cracking because it’s “the most cost-efficient — at large scale — approach.”

While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the “cost of a hardware brute-force attack” against a hashed password as much as 4,000 times greater than bcrypt.

Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google’s infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.

With the computers available today, “bcrypt won’t pipeline very well in hardware,” Mazières said, so it would “still be very expensive to do widespread cracking.”

Even if “the NSA is asking for access to hashed bcrypt passwords,” Mazières said, “that doesn’t necessarily mean they are cracking them.” Easier approaches, he said, include an order to extract them from the server or network when the user logs in — which has been done before — or installing a keylogger at the client.

 

Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.Sen. Ron Wyden, who warned this week that “the authority of the government is essentially limitless” under the Patriot Act’s business records provision.

(Credit: Getty Images)

 

Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

“This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?” said Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. “I don’t know.”

Granick said she’s not aware of any precedent for an Internet company “to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised.” If the password will be used to log in to the account, she said, that’s “prospective surveillance,” which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, “there’s a concern that the provider is enabling unauthorized access to the user’s account if they do that,” Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors’ demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man “could not be compelled to decrypt the drives.”

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation — and don’t address when a hashed password is stored on the servers of a company that’s an innocent third party.

“If you can figure out someone’s password, you have the ability to reuse the account,” which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at theElectronic Frontier Foundation.