Hushmail Spills to FEDS!!

[Dank-j]

Encrypted E-Mail Company Hushmail Spills to Feds

A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.

The first time a Hushmail user logs on, his browser downloads a Java applet that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. So messages reach Hushmail's server already encrypted. The Java code also decrypts the message on the recipient's computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.

In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption.

However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.

http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html


Time to purge your hushmail accounts boys

 

[Guest]

thats why smart users hide in plain site and use regular email accounts. its mixed in with millions upon millions of accounts....but those extra smart doers who think they are getting away with something use hushmail and sorts....thunk about it...hushmail....like the fed dont think you are hiding something by using such a service....luckily no one i know uses them..lol....Ssshhhh

 

[Loudcall]

Fazed your making sound old tyme sense my dear friend....

 

[Guest]

Fu*k that, ...

 

[R03]

thats why smart users hide in plain site and use regular email accounts. its mixed in with millions upon millions of accounts....but those extra smart doers who think they are getting away with something use hushmail and sorts....thunk about it...hushmail....like the fed dont think you are hiding something by using such a service....luckily no one i know uses them..lol....Ssshhhh

That is so true, I had a bad feeling when I came upon Hushmail. I wonder sometimes whether these sorta co's are put together by feds, or some fed links intact. Hushmail would be a honey pot for people with secrets, maybe even illegal ones of a very serious nature.

 

[Berry_Coughin']

hmmmm.... If I'm looking for sneaky emails,, am I gonna inquire the billions upon billions in say yahoo, or hotmail?? no... I'm gonna dig up hushmail..... right there in plain sight.... and people actually felt secure..... wtf..... yahoo all the way, never did me wrong.....

 

[Verite]

Thank jeebus for roids. If it werent for them they would surely be on our ass that much more.

 

[acgreenjeans]

If you really must transmit incriminating data over the internets, I suggest you download Thunderbird and OpenPGP/GPG and enigmail. Then if you maintain security on your computer, and your recipient does as well, it's basically impossible to intercept and decrypt your mail. I mean if the NSA\CIA is after your ass they might get you but you've got bigger problems then!

 

[Stay Puft]

FWIW-I was under the impression that the feds got the keys to PGP a long, long time ago.

 

[gruvygreen]

I think fazed is spot on. Just be another face in the crowd.

 

[acgreenjeans]

Stay Puft: If that was the case then I think we'd have known about it long ago, as it would have been introduced as evidence in some major (or minor) trial. Unless they are keeping it hush hush, which makes it useless for conspiracy evidence if you can't present it at trial!

Here's an old but interesting article by the author of PGP...slick willie wanted to ram government monitoring down our throats then. Meet the new boss, same as the old boss.

http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

 

[Gunnarguchi]

I hope this isnt true.
Im using hushmail as i thought it was the best privacy concern email company and has automatically encryption among other hushmail users.

This is seriously undermining my beliefs in hushmail as a privacy provider if this is true?

 

[Verite]

I went old school years ago. Tap this bitches.

 

[acgreenjeans]

I hope this isnt true.
Im using hushmail as i thought it was the best privacy concern email company and has automatically encryption among other hushmail users.

This is seriously undermining my beliefs in hushmail as a privacy provider if this is true?

Are you using the PC-side Java option? That was the one that is still fully secure (until the Feds compel them to put a "virus" in that). It's those who were using their pure webmail version that were compromised.

 

[Gunnarguchi]

Are you using the PC-side Java option? That was the one that is still fully secure (until the Feds compel them to put a "virus" in that). It's those who were using their pure webmail version that were compromised.

its a webmail but it loads up a java encryption engine each time before i log on ?

 

[Soft Smoke]

About encryption:

All, and I mean ALL, current encryption is based upon a "key" that allows a computer to unlock a complex mathmatical formula. The complexity of the "key" is what makes one sort of encryption stronger than another. This is simplified of course, but you get the idea. A 128 bit ecrytion like PGP is a key that contains 128 alphanumeric characters or symbols. This means there are literally billions of combinations possible for every encrypted message or file. This meant alot even ten years ago, but I want you to think about how fast computers are now and ask yourself this:

How long would a series of parallel processors take try every one of those billion possible combinations? weeks, days, hours...?

If I was a government agency like the FBI, NSA, DEA and required the ability to brute force decryption, I would pay a billion dollars or so for a computer system that could do just that. Why not? Its a simple solution, easy to maintain, and would do the trick nicely.

As a second issue, I would like to point out that EVERY form of encryption now in use has been the offspring or evolution of goverment or military research and development. Every one. How crazy would it be "sigh" for the government to develop a "new" "totally secure" "absolutely safe" and "GOVERNMENT PROOF" encryption, set up a civilian companty to take credit for its development, and disperse it to the public all the while marketing it as the greatest gift to individual freedom since the Bill of Rights. They would watch as drug manufacturers, terrorists, political enemies, and dometic corporations all astarted using it in an effort to keep the government's prying eyes out of their files. Meanwhile, the NSA has the key to decrypting every file using this system. THey could set up a relatively small processing center to handle all the requests from other government agencies to decrypt files.

One more question:

They've done this before, why don't you think they're doing it now?


There is an old proverb "A secret known to more than one person is no secret at all."

I am a great advocate of just keeping your head down and out of the light. The people who get busted other than by accident, are those who do or say something to attract attention. And for God's sake, don't give a government agency a hard for you. They WILL eventually find away to **** you.

Be smart.
Be cautius.
Be discrete.

Peace,

SS