Hush mail compromised?

[jh1]

looking for keywords in a sequence probably pretty easy to do

The problem is doing it at line speeds approaching 10gbps and now even beyond... real time. Remember... storing now, searching late isn't possible. Real time is the only option - and doing so without significant packet loss is quite the task.

 

[MichaelScott]

i dont think they will be concentrating too hard on a JH1 phone call as opposed to someone who may be on some list, it must be programmable, they need to put all this effort into catching bin laden

 

[jh1]

I just got ahold of that PDF on of that indictment that seems to imply hushmail is comprimised in that they seemingly respond to subpeonas under MLAT with clear text emails from the adresses subject to subpeona:

http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf

It appears the industry needs to pull their encryption in house and stop relying on 3rd party webmail systems. If you encrypt at your desktop with a system like PGP or whatnot - unless the DEA gets your passphrase or otherwise comprimises your computer - you'd be safe.

 

[jh1]

This whole Hushmail thing has peaked my interest...

This is from 1999, an article about hushmail where the whole premise what that they didn't have access to the passphrase therefore couldn't unencrypt messages:

""We are providing the encryption, and anything people send is between them," said Gilliam, who is also president of Austin technical recruiting firm the Adderley Group. "We'll have to deal with that issue when we come to it. We do have logs of messages, but we are not able to read them. [A law enforcement subpoena] would be a hairy issue, and we have not considered it yet."

Is it legal?
Encryption lawyers suggest that HushMail would be on solid legal ground in the face of a subpoena.

"If they really don't have the data, they can't give up what they don't got," said Michael Froomkin, law professor at the University of Miami. "That's a pretty good defense."

http://www.news.com/Firm-unveils-encrypted-free-email/2100-1023_3-226160.html


And I believe that to be true, especially back in 2003, when the encryption decryption engine was a local java applet that never sent your passphrase to their servers. Now you login directly via HTTP/S so you are sending your phrase over the wire - they could and apparently do store this.

 

[jh1]

A lengthy article on email encryption products - pros / cons.

http://domainsmagazine.com/Domains_14/Domain_88.shtml

 

[jh1]

Apparently this was Hushmail's policy, but I can't find it on their website:

"What if my message is subpoenaed? Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even HushMail can access the encryption keys of individual users, in the case of a subpoena HushMail would only be able to provide the encrypted (coded) version of the transmitted email."

 

[jh1]

Hush Communications USA, for example, is based in Texas with its server located in Vancouver, Canada. It offers a web-based e-mail system called Hushmail which is used in the same way as Yahoo!Mail and MSN HotMail. The Hushmail system uses a mini-program which is downloaded to a user’s computer and performs encryption on the fly. This process is then reversed at the other end when the message is decrypted on the computer to which the message is being sent. Jon Gilliam at Hushmail, notes that the levels of encryption that Hushmail can offer are such that "it would take 40 servers 40 years to crack the encryption on one single word". Gilliam says that all Hushmail communications are stored on their servers and not by the user’s particular Internet service provider. He also stated that third party access to messages sent by Hushmail is not a great concern due to the incredible levels of security provided by the encryption technology.

In regard to investigations of encrypted communications, Gilliam says that Hushmail would of course comply with requests from authorities for users’ transmissions if required to do so, but those transmissions would be totally encrypted, and completely unreadable by the courts. "Because only the sender and the recipient of the data transmissions hold the key to the encryption, which is itself encrypted, the data provided to the courts would be useless information," he says. Given the current uncertainty regarding the ability of authorities to access keys to encrypted information, Hushmail offers a product well-suited to individuals doing business with offshore financial service providers.

More

 

[chewyxrage]

good stuff jh

 

[jh1]

Here's another one that really seems to backup Hushmails claims / privacy policy:

http://www.news.com/8301-10784_3-9741357-7.html?part=rss&subj=news&tag=2547-1001_3-0-5


In this, an MDMA bust, the DEA employed the use of a keylogger to capture the passphrase at the client computer / end point to bypass the encryption protection of the Hushmail system.

So if Hushmail can turn over clear text emails, then why would the DEA use keyloggers in this case? It's a total conflict.

1) Hushmail has stated before that they never have access to your passphrase therefore no access to clear text data.

2) They will comply with subpeonas, but it's unknown wether their response in this case was clear text or encrypted text.


... I'm still curious...

If it was clear text then Hush is definetly not holding to their word about how their system works at least from their orgins....

 

[jh1]

Well this is an interestingly technically flawed article by George Spellwin on Hushmail.

The claims of the servers being offshore (reality: Vancouver) being imprevious to subpeona is completely incorrect. We have MLAT with Canada, and Hushmail is based out of Texas... they are subject to subpeona and will comply.

I am still not sure if they are providing clear text emails or not though. That would mean they are capturing pass phrases, in which case everyone should immediatley abandon ship: