Results 1 to 16 of 16
  1. #1
    Carlos_E's Avatar
    Carlos_E is offline National Level Bodybuilder/Hall of Famer/RETIRED
    Join Date
    May 2002
    Location
    NYC
    Posts
    17,629

    Encrypted E-Mail Company Hushmail Spills to Feds

    It's reached regular news

    http://blog.wired.com/27bstroke6/200...ted-e-mai.html

    Encrypted E-Mail Company Hushmail Spills to Feds
    By Ryan Singel November 07, 2007


    Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer."

    But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.

    A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.

    The court revelation demonstrates a privacy risk in a relatively-new, simple webmail offering by Hushmail, which the company acknowledges is less secure than its signature product.

    A subsequent and refreshingly frank e-mail interview with Hushmail's CTO seems to indicate that government agencies can also order their way into individual accounts on Hushmail's ultra-secure web-based e-mail service, which relies on a browser-based Java encryption engine.

    Since its debut in 1999, Hushmail has dominated a unique market niche for highly-secure webmail with its **********, client-side encryption engine.

    Hushmail uses industry-standard cryptographic and encryption protocols (OpenPGP and AES 256) to scramble the contents of messages stored on their servers. They also host the public key needed for other people using encrypted email services to send secure messages to a Hushmail account.

    The first time a Hushmail user logs on, his browser downloads a Java applet that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. So messages reach Hushmail's server already encrypted. The Java code also decrypts the message on the recipient's computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.

    In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption.

    However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

    The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.

    In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects' secret passphrase or decryption key, decrypt their messages and hand them over.

    Hushmail CTO Brian Smith declined to talk about any specific law enforcement requests, but described the general vulnerability to THREAT LEVEL in an e-mail interview (You can read the entire e-mail thread here):

    he key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side.

    This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.

    This might clarify things a bit when you are considering what actions we might be required to take under a court order. Again, I stress that our requirement in complying with a court order is that we not take actions that would affect users other than those specifically named in the order.


    Hushmail's marketing copy largely glosses over this vulnerability, reassuring users that the non-Java option is secure.

    Turning on Java provides an additional layer of security, but is not necessary for secure communication using this system[...]

    Java allows you to keep more of the sensitive operations on your local machine, adding an extra level of protection. However, as all communication with the webserver is encrypted, and sensitive data is always encrypted when stored on disk, the non-Java option also provides a very high level of security.


    But can the feds force Hushmail to modify the Java applet sent to a particular user, which could then capture and sends the user's passphrase to Hushmail, then to the government?

    Hushmail's own threat matrix includes this possibility, saying that if an attacker got into Hushmail's servers, they could compromise an account -- but that "evidence of the attack" (presumably the rogue Java applet) could be found on the user's computer.

    Hushmail's Smith:

    [T]he difference being that in Java mode, what the attacker does is potentially detectable by the user (via view source in the browser).


    "View source" would not be enough to detect a bugged Java applet, but a user could to examine the applet's runtime code and the source code for the Java applet is publicly available for review. But that doesn't mean a user could easily verify that the applet served up by Hushmail was compiled from the public source code.

    Smith concurs and hints that Hushmail's Java architecture doesn't technically prohibit the company from being able to turn over unscrambled emails to cops with court orders.

    You are right about the fact that view source is not going to reveal anything about the compiled Java code. However, it does reveal the HTML in which the applet is embedded, and whether the applet is actually being used at all. Anyway, I meant that just as an example. The general point is that it is potentially detectable by the end-user, even though it is not practical to perform this operation every time. This means that in Java mode the level of trust the user must place in us is somewhat reduced, although not eliminated.

    The extra security given by the Java applet is not particularly relevant, in the practical sense, if an individual account is targeted. (emphasis added) [...]


    Hushmail won't protect law violators being chased by patient law enforcement officials, according to Smith.

    [Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.

    That's also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order.


    Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order.

    We receive many requests for information from law enforcement authorities, including subpoenas, but on being made aware of the requirements, a large percentage of them do not proceed.

    To date, we have not challenged a court order in court, as we have made it clear that the court orders that we would accept must follow our guidelines of requiring only actions that can be limited to the specific user accounts named in the court order. That is to say, any sort of requirement for broad data collection would not be acceptable.


    I was first tipped to this story via the Cryptography Mailing List, and Kevin, who had been talking with Hushmail about similar matters involving another case, followed up with Smith. We both agree Hushmail deserves credit for its frank and open replies (.pdf). Such candor is hard to come by these days, especially since most ISPs won't even tell you how long they hold onto your IP address or if they sell your web-surfing habits to the highest bidders.
    Muscle Asylum Project Athlete

  2. #2
    Carlos_E's Avatar
    Carlos_E is offline National Level Bodybuilder/Hall of Famer/RETIRED
    Join Date
    May 2002
    Location
    NYC
    Posts
    17,629
    Some of the comments from readers are asinine.

    GOOD! I'm glad that the Feds were able to get their hands on those emails! I hope it helps them catch the people creating those drugs that kill millions each year. If you have nothing to hide, then you have no reason to want to hide it. I'm glad to see that law enforcement agencies can still uphold and protect the laws created in this country to protect those that are innocent from those that are criminals. Crime doesn't pay.
    Kills millions???
    Muscle Asylum Project Athlete

  3. #3
    thegodfather's Avatar
    thegodfather is offline Dulce bellum inexpertis
    Join Date
    Nov 2004
    Location
    Middle East
    Posts
    3,511
    hushmail&cyber-rights

  4. #4
    Atomini's Avatar
    Atomini is offline Banned
    Join Date
    Mar 2007
    Location
    GTA, Canada
    Posts
    6,121
    lol.

  5. #5
    thegodfather's Avatar
    thegodfather is offline Dulce bellum inexpertis
    Join Date
    Nov 2004
    Location
    Middle East
    Posts
    3,511

  6. #6
    Kratos's Avatar
    Kratos is offline I feel accomplished
    Join Date
    Jun 2007
    Location
    CT
    Posts
    34,255
    Quote Originally Posted by Carlos_E View Post
    Some of the comments from readers are asinine.



    Kills millions???

    Or why don't we just install video camaras in our houses with direct feed to the department of justice. I mean, we have nothing to hide so why not? WTF

  7. #7
    thegodfather's Avatar
    thegodfather is offline Dulce bellum inexpertis
    Join Date
    Nov 2004
    Location
    Middle East
    Posts
    3,511
    I can see where this is going...I'm going to have to drive 10 miles away, park in a ****ing cookie-cutter development, and use my laptop to leach off someones LAN just to browse AR or send messages. You think thats funny, but I know someone who does that, lol....

    People get with the program, forget hush, cyber-rights,safe-mail, any of them... You're just as well to use Yahoo and use your own PGP encryption and start exchanging keys with people. It takes about 5 seconds to send your Public Key to someone else...

    Appearently though, from that post the other day, we're going to start having to put our computers into ****ing lockboxes or safes when we leave the house, since that affidavidt said "to use any means necessary including breaking-in-entering, to implant a keylogger onto the computer.".....state sanctioned B&E, thats cute...

  8. #8
    RuhlFreak55's Avatar
    RuhlFreak55 is offline Purveyor of Thor's Hammer
    Join Date
    Jan 2006
    Location
    in dreamy land
    Posts
    33,788
    Quote Originally Posted by thegodfather View Post
    I can see where this is going...I'm going to have to drive 10 miles away, park in a ****ing cookie-cutter development, and use my laptop to leach off someones LAN just to browse AR or send messages. You think thats funny, but I know someone who does that, lol....

    People get with the program, forget hush, cyber-rights,safe-mail, any of them... You're just as well to use Yahoo and use your own PGP encryption and start exchanging keys with people. It takes about 5 seconds to send your Public Key to someone else...

    Appearently though, from that post the other day, we're going to start having to put our computers into ****ing lockboxes or safes when we leave the house, since that affidavidt said "to use any means necessary including breaking-in-entering, to implant a keylogger onto the computer.".....state sanctioned B&E, thats cute...
    i'd like to see 'em get past my pack of rottweilers

  9. #9
    Amorphic's Avatar
    Amorphic is offline Veritas, Aequitas ~
    Join Date
    Apr 2007
    Location
    Canada - No source checks
    Posts
    16,146
    pretty ridiculous. cant trust anything anymore

  10. #10
    PROTEINSHAKE's Avatar
    PROTEINSHAKE is offline Protein Power
    Join Date
    Feb 2006
    Location
    somewhere
    Posts
    4,938
    one thing you can bank on-----NOTHING is safe-NOTHING. this whole thing is outta control.....

  11. #11
    Brazil's Avatar
    Brazil is offline Member
    Join Date
    Oct 2005
    Location
    brazil
    Posts
    616
    HEY ^^^^ you got a hot avy one of the better ones!

  12. #12
    Carlos_E's Avatar
    Carlos_E is offline National Level Bodybuilder/Hall of Famer/RETIRED
    Join Date
    May 2002
    Location
    NYC
    Posts
    17,629
    Quote Originally Posted by Brazil View Post
    HEY ^^^^ you got a hot avy one of the better ones!
    Why thank you.





    Muscle Asylum Project Athlete

  13. #13
    scaramouche's Avatar
    scaramouche is offline Senior Member
    Join Date
    Mar 2007
    Location
    blighty
    Posts
    1,436
    Quote Originally Posted by thegodfather View Post
    I can see where this is going...I'm going to have to drive 10 miles away, park in a ****ing cookie-cutter development, and use my laptop to leach off someones LAN just to browse AR or send messages. You think thats funny, but I know someone who does that, lol....
    yeh thats one solution,but quite recently in the uk someone was arrested for stealing bandwidth while doing that

    http://www.pcadvisor.co.uk/news/index.cfm?newsid=9029

  14. #14
    thegodfather's Avatar
    thegodfather is offline Dulce bellum inexpertis
    Join Date
    Nov 2004
    Location
    Middle East
    Posts
    3,511
    Quote Originally Posted by scaramouche View Post
    yeh thats one solution,but quite recently in the uk someone was arrested for stealing bandwidth while doing that

    http://www.pcadvisor.co.uk/news/index.cfm?newsid=9029
    I just read that article.... I love how they justify EVERYTHING about why you shouldnt be able to avoid being traced on the internet to aiding "Peadophiles," as if there are millions of them on the internet trying to avoid detection. Give me a ****ing break, maybe a few thousand people worldwide, just like terrorists, maybe 20,000 people max, yet all this histeria about why we should give up our Constitutional Rights to either be safer or help arrest these people..... Propaganda and bullshit...

  15. #15
    Schmidty's Avatar
    Schmidty is offline Test Is Best!
    Join Date
    Aug 2006
    Posts
    6,899
    But most of my sources wont even talk2people if they are not encrypted. So now what do we do?

  16. #16
    scaramouche's Avatar
    scaramouche is offline Senior Member
    Join Date
    Mar 2007
    Location
    blighty
    Posts
    1,436
    Quote Originally Posted by thegodfather View Post
    I just read that article.... I love how they justify EVERYTHING about why you shouldnt be able to avoid being traced on the internet to aiding "Peadophiles," as if there are millions of them on the internet trying to avoid detection. Give me a ****ing break, maybe a few thousand people worldwide, just like terrorists, maybe 20,000 people max, yet all this histeria about why we should give up our Constitutional Rights to either be safer or help arrest these people..... Propaganda and bullshit...
    its a lame excuse i know,its as if everyone who wants privacy is really a closit peado

    incidently,im afraid the figures are much higher than that
    http://www.theregister.co.uk/2005/04...lice_internet/

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •