Please Scroll Down to See Forums Below
Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

napsgear
genezapharmateuticals
domestic-supply
puritysourcelabs
Research Chemical SciencesUGFREAKeudomestic
napsgeargenezapharmateuticals domestic-supplypuritysourcelabsResearch Chemical SciencesUGFREAKeudomestic

Hush mail compromised?

From Hushmail, a descrption of how their webmail handles encryption.

https://www.hushmail.com/public_documents/Webmail Using the Hush Encryption Engine.pdf

A couple of important things to point out here:

1) As with any email encryption, headers are not encrypted. Meaning that Sender / Receipient are exposed as well as subject lines.

2) The encryption of the message body and attachments takes place at your computer therefore hushmail cannot access the contents even for response to subpeonas.


Unless Hushmail is flat out lying, they cannot provide clear text communications in response to a subpeona. Now if you are dumb enough to put information in the subject line or send to / from a non-PGP encrypted account your fucked. Plus no matter what - you are going to expose / leak some information based on sender / recevier information.

hsrpft.jpg


huhtfn.jpg




I sincerly doubt hushmail is lying about this, as the industry would have outted them x10 by now - especially Phil Zimmerman the guy who wrote PGP. That being said, it's entirely possible that the indictment was written that way to make it seem like hush was handing over clear text emails to induce fear in the steroid community.

In the end if you use a open PGP engine on your desktop, your better off IMO. But then - as in the MDMA case above - they are still gonna get you if they want you because they will put a keylogger like FBI's MagicLatern on your computer by breaking into your house if necessary.

You gotta be one paranoid sneaky mother fucker to be able to beat them at their game, that's apparent.
 
Sites like this one and others are way to easy to find. Go to google and type in steroids. I believe that's how I stumbled across this site. Everyone is so paranoid that LE is suddenly aware of whats going on...shit! LE has known about these sites, and I'm sure LE is on this and many other sites everyday checkin things out. Everyone is so open around here with info on labs,and names of labs etc. Then they get surprised when that lab gets busted. Come on people! BTW good post on hushmail jh1.
 
I'm under the impression that one way to send an email that can't be "sniffed" by systems like echelon is to convert your message to an image file like a TIF or JPG and send as an attachment.
 
triceptor said:
I'm under the impression that one way to send an email that can't be "sniffed" by systems like echelon is to convert your message to an image file like a TIF or JPG and send as an attachment.
Click to expand...


Theoretically echelon could also catch that, but it takes alot more horse power since it would have to actually OCR the text and read it in real time - which is much more processor intensive than reading plain text in real time.

Take that a step further, and you could put encrypted text in picture. Or take encrypted data and hide it amongst the data of a legitimate picture. See: steganography.

Realistically the way eschelon would have to handle even the most basic level or text in pictures would be to offload those communications, when detected to non-realtime systems. So detect in realtime, offload to farms dedicated to handling such processor intesive snooping allowing the regular systems to go about their business.
 
jh1 said:
This whole Hushmail thing has peaked my interest...

This is from 1999, an article about hushmail where the whole premise what that they didn't have access to the passphrase therefore couldn't unencrypt messages:




http://www.news.com/Firm-unveils-encrypted-free-email/2100-1023_3-226160.html


And I believe that to be true, especially back in 2003, when the encryption decryption engine was a local java applet that never sent your passphrase to their servers. Now you login directly via HTTP/S so you are sending your phrase over the wire - they could and apparently do store this.
Click to expand...

To the best of my knowledge, they still use java. Ostensibly, your passphrase is never transmitted outside of your machine, as long as the encryption/decryption is done using their Hush Encryption Engine, which runs as a java applet in one's browser. I suppose the only way to know for sure is to run a packet sniffer on one's connection while connected to Hushmail....

I just tested logging-in with a dummy account, even via https:; the Hush Encryption Engine still loads and appears to function normally. So, it would appear that https: does not automatically lead to your passphrase being sent over the wire to Hush's servers, where it can be captured/logged/sniffed.

Fidel Castro <[email protected]>
PGP Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
 
You must log in or register to reply here.

Similar threads

K
puritysourcelabs how long to get my crap
2
Replies
18
Views
345
RoySimpson
RoySimpson
H
s4/andarine 100mgs a day causes vision issues
2
Replies
17
Views
434
RoySimpson
RoySimpson
K
ever been to an expo for free supplements?
2
Replies
18
Views
610
Noah Wixx
Noah Wixx
Quadsweep
Approved UGFREAK.TO November savings are here!
2
Replies
19
Views
156
zedhed
zedhed
Quadsweep
EF Sponsor October sales from ugfreak and para pharma!
2 3
Replies
21
Views
181
Quadsweep
Quadsweep
Top Bottom