Hushmail compromised

[NewVader]

pages 7, 10 and 11 are particularly interesting...

http://static.bakersfield.com/smedia...filiate.25.pdf

[Raven88]

Some of these folks should have never used an email service based in a country with international agreements with the US. It has said all along in hushmail's users agreement that with proper court documents that they will cooperate with LE, so why should this surprise anyone?

[freakon]

Are the Feds still monitering the emails? i was in correspondence with a source and have not heard from him in over a week, and the money order i sent him is still in the p.o. box "tracking confirmation". Damn i Hope everything is alright with my source.
Upon reading the court papers listed it seems as though this was a sting operation. there was obvious dialoge between buyer "feds" and the seller. i am not sure if they were actually intercepting/viewing other hushmail transactions all i see is the communications between the seller and the undercover. can anyone clarify this? thanks

[Mjølner]

I've used hushmail since it was beta in 1995. I have also reviewed the source code. It's impossible for anyone to read an encrypted message.

What hushmail does, is protect email between two TRUSTED parties, BOTH of which, must use hushmail. If you are sending encrypted email to a narc, then it's really not going to do you any good is it?

All that hushmail can provide to the authorities, is your IP address, and any billing info, should you have a premium account...naturally, this would include your name, number, cc number you paid with, etc.

A simple rule is, KNOW WHO YOU ARE TALKING TO. If you KNOW the other party, and you both use hushmail, and you both have the "Encrypt Message" box checked, and assuming you ARE busted, all that will show up, after an investigation, is that someone from IP xxx.xx.xx.xxx sent SOMETHING to IP xxx.xx.xx.xxx

Is this enough for conspiracy to traffic, and to fall prey to the various RICO and ROPE laws that hardly anyone knows about? Perhaps...perhaps not.

Can hushmail provide bulletproof encypted email between two trusted parties? The answer, without a doubt, is YES.

In short, trust no-one, know your source, don't BECOME a source, and communicate over a secure medium.

[thegodfather]

Are the Feds still monitering the emails? i was in correspondence with a source and have not heard from him in over a week, and the money order i sent him is still in the p.o. box "tracking confirmation". Damn i Hope everything is alright with my source.
Upon reading the court papers listed it seems as though this was a sting operation. there was obvious dialoge between buyer "feds" and the seller. i am not sure if they were actually intercepting/viewing other hushmail transactions all i see is the communications between the seller and the undercover. can anyone clarify this? thanks

probably very stupid to post information like that at a time like this....This is just the same as you walking into the middle of the street and screaming that you bought illegal drugs the other day...

[TAPPER]

Originally posted by: Mjølner

I've used hushmail since it was beta in 1995. I have also reviewed the source code. It's impossible for anyone to read an encrypted message.

What hushmail does, is protect email between two TRUSTED parties, BOTH of which, must use hushmail. If you are sending encrypted email to a narc, then it's really not going to do you any good is it?

All that hushmail can provide to the authorities, is your IP address, and any billing info, should you have a premium account...naturally, this would include your name, number, cc number you paid with, etc.

A simple rule is, KNOW WHO YOU ARE TALKING TO. If you KNOW the other party, and you both use hushmail, and you both have the "Encrypt Message" box checked, and assuming you ARE busted, all that will show up, after an investigation, is that someone from IP xxx.xx.xx.xxx sent SOMETHING to IP xxx.xx.xx.xxx

Is this enough for conspiracy to traffic, and to fall prey to the various RICO and ROPE laws that hardly anyone knows about? Perhaps...perhaps not.

Can hushmail provide bulletproof encypted email between two trusted parties? The answer, without a doubt, is YES.

In short, trust no-one, know your source, don't BECOME a source, and communicate over a secure medium.

It sounds like Hush is giving up more than name, addy, and IP address. On p. 6 of the document it says the DEA received 3 CD’s from Hush covering two of the defendants email accounts. Then on p. 10, 11 is says they received 9 more CD’s for the same two email accounts as well as an additional one. That sounds like Hush turned over everything stored on their servers that was related to those email accounts. The DEA would have already possessed the correspondence between the defendant and themselves, so what else would Hush have to give up that filled 12 CD’s?????

Now, I agree with you - the code is solid without the keys, but Hush stores them on their servers too. So in all actuality with the help of Hush Inc the only thing stopping a third party from decrypting your emails is the password on the account. (assuming we believe Hush Inc’s privacy claims and rule out a backdoor in the code)

Personally, I don’t believe there is a backdoor, but with the encrypted emails and keys it doesn’t seem like cracking a password would be a tremendous feat for the DEA or some other governmental agency, especially if the defendant used a weak password.

I also found the following statement from p. 6 of the document is very interesting.

…”Hush Communications Inc, also known as Hush Mail, is a free encrypted email communication system that claims to ensure the security, privacy, and authenticity of emails sent and received by its users.”…

Hmmm….kind of makes you wonder a bit.

[thegodfather]

CD means Controlled Deliveries bro...

[thegodfather]

Also....the fact that certain people were corresponding with the email address that was hot, would mean that alone would be incriminating enough for them to get wire taps on whoever was emailing them. They identify the source email, get a warrant for the IP Address which they then subpeona the ISP for the persons info. Now, the people e-mailing the source are identified by Hush, they give them their IP Address, and then they identify who those people are behind the email addresses. From there, its easy, all they have to do is conduct surveillance on the person and watch their activities. They seem them go into the post office, 5 minutes after the persoon leaves, they walk into the post office and ask to see the package that the person picked up, OR ask the post master to inspect all packages coming in to that person. Now they have identified the shit coming in, from there they continue to monitor it, and build a huge case, hit them with so many counts of this and that, that by the time they actually goto make the arrest, what would have been 1 count of importing a controlled substance, is 32 counts of importing a controlled substance with the intent to distribute, 10 counts of this, 15 counts of that... At that point, you better either be able to resurrect Johnny Cochran, or be someone important enough in the game that you have someones head you can offer them on a silver platter so that your not serving life sentences for the assload of charges they are throwing at you. Not to mention, all of the Federal charges they are going to hit you with in addition to what the state law says. You are royally F'ed at that point.

So really, Hush giving up the IP addresses is all thats needed to get the info you need. Its not like it was hard to identify the sources emails, they had it PLASTERED all over threads like they were advertising for the newest 3-series for BMW. It got even better though, flashing banners at the login screens of some of these open source boards... Thats really intelligent, it would be like flashing banners that say "BLOW, BLOW, BLOW"...

[TAPPER]

^^you make good points. In addition to wire taps the DEA could have easily placed a key logger on the computer(s) in question and sat back collecting data. Judging from the “Obie advertisement” contained within the linked document this guy was just asking for trouble and it was only a matter of time before it found him.

I still don’t like the fact Hush keeps the keys as well as the encrypted emails on their servers. Looking back, if Hush really wanted to make the whole process secure they should have made the client responsible for their keys. Maybe it was just an ease of use decision or maybe there is more than meets the eye.

[thegodfather]

^^you make good points. In addition to wire taps the DEA could have easily placed a key logger on the computer(s) in question and sat back collecting data. Judging from the “Obie advertisement” contained within the linked document this guy was just asking for trouble and it was only a matter of time before it found him.

I still don’t like the fact Hush keeps the keys as well as the encrypted emails on their servers. Looking back, if Hush really wanted to make the whole process secure they should have made the client responsible for their keys. Maybe it was just an ease of use decision or maybe there is more than meets the eye.

PGP is kind of difficult...Copy&pasting each time you encrypt/decrypt... I look at Hushmail,Cyber-Rights,Keptprivate as kind of the 'PGP for dummies'...very user friendly... Anyway, in the future, u should use your own PGP in addition to whats provided by Hush. But basically, if the LE is not able to find out the email address, they wont know where to look...Valuable lesson learned. If you wanted to be really paranoid, you would have a laptop, and not ever connect to those kind of sites from your own ISP, Im not going to elaborate anymore, but you guys know what sorts of methods im referring to...

[Raven88]

CD means Controlled Deliveries bro...

Or court documents.

[RuhlFreak55]

well does anyone have an alternative email that's better? not compromisable? if so PM me please

[TAPPER]

^^I don’t know of one, but if you encrypt your own emails it really doesn’t matter. It’s a little bit of a PITA to get people not used to working with pgp up and running (everyone you send an email to must have your public key and vise versa), but once its all set up the encryption/decryption process only takes a few seconds.

What surprises me is that pgp has not really caught on with the AAS community. It’s quite prevalent in some other circles and when it all comes down to it the law doesn’t differentiate between Schedule III controlled substances.

[BG]

They would need a serious search warrant to get that info. The people whom they got their information was porobably a HUGE source with a BIGGER case pending.

[Raven88]

well does anyone have an alternative email that's better? not compromisable? if so PM me please

Mailvault?

[TAPPER]

Originally posted by: T.R.D.

They would need a serious search warrant to get that info.

I would bet most if not all service providers would give up your IP address w/o a warrant. Once they make a sale there is probable cause to get a warrant and now they can legally gain access to your “private” data (emails, phone calls, etc). Such a scenario, as I see it, doesn’t require one to be a huge source or have pending cases, just the wrong source at the wrong time. Granted, the government probably isn’t looking to pursue leads on small time sources, but then again they have been known to squeeze the little guy with the hope of snagging a bigger fish.

Originally posted by: Raven88

Mailvault?

Mailvault retains your keys on their servers just like Hushmail. Why entrust something of value to a free service? IMO, download pgp and secure your own keys.

[Raven88]

Why entrust something of value to a free service? IMO, download pgp and secure your own keys.

True.

[thegodfather]

The sources who survived the 'Raw Deal' in the coming weeks, will be requiring all clients to have a PGP Key....and to use it for all correspondants..

[Mjølner]

Perhaps a few things that people don't know:

1. PGP, and the open source GPG BOTH work with hushmail. All you have to do is upload a public key to hushmail's keyserver, and you will be able to encrypt pgp email and send it to any email address. Likewise, any PGP/GPG user can email you from any email address, and send it to your hushmail address, simply by importing your public hushmail key to their GPG keyring.

PGP isn't free, while GPG is. Here are the links for GPG and the thunderbird plugin for it, which is called "enigmail":

http://www.gnupg.org/

http://enigmail.mozdev.org/

2. Hiding your location is as easy as using TOR. Here are two URL's...one to the TOR project, and another to a WIKI explaination. TOR is free.

http://tor.eff.org/

http://en.wikipedia.org/wiki/Tor_%28...ity_network%29)

3. Don't bother "cleaning" your computer. Install a "twofish" encrypted "file", and mount it with "Truecrypt", which is also free. Then, all that one must do, is save all of their "bullshit" to the "encrypted drive". All that a person needs to do, is edit their browser and email, to store their respective cache on the encrypted drive letter. Also, don't forget to disable your "pagefile" (virtual memory). Here is the link to "Truecrypt":

http://www.truecrypt.org/


Anyway, all of these tools are freely available to anyone, and when used properly, they are fairly bulletproof. HOWEVER, even though you are "coming from nowhere", "sending encrypted gibberish", and your computer consists of nothing but "encrypted gibberish"...ALL OF IT MATTERS NOT, if you are corresponding with a NARC.

If you wouldn't buy cocaine, methamphetamine, or weed off of the internet, why would you buy steroids ? The penalties for a CII violation and a CIII violation are almost identical.

As always, the best way to get gear, is to make friends with the big people at your gym, or drive/fly to where it is legal...the same way BILLIONS of other DRUG USERS obtain their DRUG OF CHOICE on a DAILY basis, without being CAUGHT - through a face to face social network of TRUSTED peers.

[Roid]

What about safe-mail.net?
Is it any good?

[Mjølner]

I haven't seen that one yet bro, but I'll take a look at it. As long as it uses open pgp standards, it's "good shit".

With GPG, you can make a hotmail account, or gmail account, and still correspond with hushmail users, or other users of pgp/gpg. There is no need to lock yourself into one online email client. It works with ANY email address.