Please Scroll Down to See Forums Below
napsgear
genezapharmateuticals
domestic-supply
puritysourcelabs
UGL OZ
UGFREAK
napsgeargenezapharmateuticals domestic-supplypuritysourcelabsUGL OZUGFREAK

Hush mail compromised?

jon79 said:
he basically said hush is still ef choice of email provider....so it seems that he had no worries..
Click to expand...


hush handed over emails in at least one lab bust. gave em right to dea on a CD. DEA even had all the info in the bodies of those emails...$ paid, how paid (WU or greendot), names and addresses sent to, etc. Proof is in the link below.

http://static.bakersfield.com/smedia...filiate.25.pdf


The government clearly has access to hush email through what is apparently known as "MLAT" Mutual Legal Assistance Treaty.
 
If you were to use it for illegal transactions it's most certainly not safe.

But for mailing mom to see how she's doing should be just fine.
 
Tweakle said:
If you were to use it for illegal transactions it's most certainly not safe.

But for mailing mom to see how she's doing should be just fine.
Click to expand...
oh thanks for that lol
 
the whole internet is comprised.. you wann prove it to yourself. go to google type this in the search bar .. i am going to assisiante the p o t u s o a... aka geroge bush.. and see how long it is begore you get a vistit from the police or feds you think i am nuts go ahead and try it and watch what happens lol
 
kano said:
the whole internet is comprised.. you wann prove it to yourself. go to google type this in the search bar .. i am going to assisiante the p o t u s o a... aka geroge bush.. and see how long it is begore you get a vistit from the police or feds you think i am nuts go ahead and try it and watch what happens lol
Click to expand...

I dunno about that maing....I was recently in Canada and Googled fake passports and bomb making instructions from my hotel. I prolly did it five times over a period of about two weeks.

No one even called :(.
 
i dont know how anyone can think that a "secure" email service/provider can be safe from the LE
 
kano said:
the whole internet is comprised.. you wann prove it to yourself. go to google type this in the search bar .. i am going to assisiante the p o t u s o a... aka geroge bush.. and see how long it is begore you get a vistit from the police or feds you think i am nuts go ahead and try it and watch what happens lol
Click to expand...
lmao at peoples delusions
do you realize how vast and impossible to manage the internet is?
virtually impossible to effectively police, you joosers made it a hell of a lot easier by pointing the feds in the right direction. no one to blame but yourselfs
 
ceo said:
hush handed over emails in at least one lab bust. gave em right to dea on a CD. DEA even had all the info in the bodies of those emails...$ paid, how paid (WU or greendot), names and addresses sent to, etc. Proof is in the link below.

http://static.bakersfield.com/smedia...filiate.25.pdf


The government clearly has access to hush email through what is apparently known as "MLAT" Mutual Legal Assistance Treaty.
Click to expand...


Your link does not work, would like to see the real PDF.

The way Hush *USED* to be was that they never even had access to your passphrase because you handed it over to a local java applett that encrypted / decrypted your messages - so it was never sent to hush.

Now with that java being removed you are sending that to Hush's webservers and they could, theoretically record and store that information. Sad comprimise of what was a pretty rock solid system to provide encryption to the masses.

EF's interests are in protecting EF, not their customers. They log IPs, they won't allow rock solid privacy proxies to even be discussed, etc. Hush is a seperate entity all together.
 
Moltke said:
lmao at peoples delusions
do you realize how vast and impossible to manage the internet is?
virtually impossible to effectively police, you joosers made it a hell of a lot easier by pointing the feds in the right direction. no one to blame but yourselfs
Click to expand...


I doubt you'd get a visit for searching Kano's term, but I am not sure what you are refering to as a dillusion.

Although the internet is vast and an unimaginable amount of data flows over it - basic traffic has, can and will be tapped and monitored - most prominently by a system called eschelon (Intelligence) & a system called carnivore (Law Enforcement). When all the terrorist scare tactics were in full effect the NSA was able to get AT&T and other providers to put taps on vast fiber backbones of the internet and pump the tapped data into huge rooms filled with NSA equipment. It's suspected every major player was involved, but at AT&T there was a whistle blower, a lawsuit by the EFF, etc - all which has been effectively swept under the rug.
 
jh1 said:
I doubt you'd get a visit for searching Kano's term, but I am not sure what you are refering to as a dillusion.

Although the internet is vast and an unimaginable amount of data flows over it - basic traffic has, can and will be tapped and monitored - most prominently by a system called eschelon (Intelligence) & a system called carnivore (Law Enforcement). When all the terrorist scare tactics were in full effect the NSA was able to get AT&T and other providers to put taps on vast fiber backbones of the internet and pump the tapped data into huge rooms filled with NSA equipment. It's suspected every major player was involved, but at AT&T there was a whistle blower, a lawsuit by the EFF, etc - all which has been effectively swept under the rug.
Click to expand...
i don't doubt this at all, good post.
i find it funny that people think using hushmail is 100% safe, same with those stupid disclaimers lol
 
Moltke said:
i don't doubt this at all, good post.
i find it funny that people think using hushmail is 100% safe, same with those stupid disclaimers lol
Click to expand...


Bruce Schneier is one of the most respected peeps in the industry:

http://www.schneier.com/blog/archives/2006/04/att_assisting_n.html

They use equipment from Narus, real time data mining at mind bending speeds... it's incredible stuff. I worked with Narus equipment at Sprint.

http://www.spamdailynews.com/publish/ATT_tech_outs_NSA_spy_room.asp

This is a good up-to-date article about the court battle, of course the government is arguing the case needs to be dropped due to national security - and AT&T the other defendant simply rides along on that same principle claiming that they can't defend themselves due to national security.

http://government.zdnet.com/?p=3359
 
lol. oh my......You have over 600000000 million kids in a room, can you watch all of them and hear all of their convos at the same time???
 
Angel said:
lol. oh my......You have over 600000000 million kids in a room, can you watch all of them and hear all of their convos at the same time???
Click to expand...


Yes.

You'll get a system with alot of 'false positives' though and will have an overall effectiveness of about 30%...
 
hstern said:
looking for keywords in a sequence probably pretty easy to do
Click to expand...



The problem is doing it at line speeds approaching 10gbps and now even beyond... real time. Remember... storing now, searching late isn't possible. Real time is the only option - and doing so without significant packet loss is quite the task.
 
i dont think they will be concentrating too hard on a JH1 phone call as opposed to someone who may be on some list, it must be programmable, they need to put all this effort into catching bin laden
 
I just got ahold of that PDF on of that indictment that seems to imply hushmail is comprimised in that they seemingly respond to subpeonas under MLAT with clear text emails from the adresses subject to subpeona:

http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf

It appears the industry needs to pull their encryption in house and stop relying on 3rd party webmail systems. If you encrypt at your desktop with a system like PGP or whatnot - unless the DEA gets your passphrase or otherwise comprimises your computer - you'd be safe.
 
This whole Hushmail thing has peaked my interest...

This is from 1999, an article about hushmail where the whole premise what that they didn't have access to the passphrase therefore couldn't unencrypt messages:

""We are providing the encryption, and anything people send is between them," said Gilliam, who is also president of Austin technical recruiting firm the Adderley Group. "We'll have to deal with that issue when we come to it. We do have logs of messages, but we are not able to read them. [A law enforcement subpoena] would be a hairy issue, and we have not considered it yet."

Is it legal?
Encryption lawyers suggest that HushMail would be on solid legal ground in the face of a subpoena.

"If they really don't have the data, they can't give up what they don't got," said Michael Froomkin, law professor at the University of Miami. "That's a pretty good defense."
Click to expand...


http://www.news.com/Firm-unveils-encrypted-free-email/2100-1023_3-226160.html


And I believe that to be true, especially back in 2003, when the encryption decryption engine was a local java applet that never sent your passphrase to their servers. Now you login directly via HTTP/S so you are sending your phrase over the wire - they could and apparently do store this.
 
Apparently this was Hushmail's policy, but I can't find it on their website:

"What if my message is subpoenaed? Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even HushMail can access the encryption keys of individual users, in the case of a subpoena HushMail would only be able to provide the encrypted (coded) version of the transmitted email."
Click to expand...
 
Hush Communications USA, for example, is based in Texas with its server located in Vancouver, Canada. It offers a web-based e-mail system called Hushmail which is used in the same way as Yahoo!Mail and MSN HotMail. The Hushmail system uses a mini-program which is downloaded to a user’s computer and performs encryption on the fly. This process is then reversed at the other end when the message is decrypted on the computer to which the message is being sent. Jon Gilliam at Hushmail, notes that the levels of encryption that Hushmail can offer are such that "it would take 40 servers 40 years to crack the encryption on one single word". Gilliam says that all Hushmail communications are stored on their servers and not by the user’s particular Internet service provider. He also stated that third party access to messages sent by Hushmail is not a great concern due to the incredible levels of security provided by the encryption technology.

In regard to investigations of encrypted communications, Gilliam says that Hushmail would of course comply with requests from authorities for users’ transmissions if required to do so, but those transmissions would be totally encrypted, and completely unreadable by the courts. "Because only the sender and the recipient of the data transmissions hold the key to the encryption, which is itself encrypted, the data provided to the courts would be useless information," he says. Given the current uncertainty regarding the ability of authorities to access keys to encrypted information, Hushmail offers a product well-suited to individuals doing business with offshore financial service providers.
Click to expand...


More
 
Here's another one that really seems to backup Hushmails claims / privacy policy:

http://www.news.com/8301-10784_3-9741357-7.html?part=rss&subj=news&tag=2547-1001_3-0-5


In this, an MDMA bust, the DEA employed the use of a keylogger to capture the passphrase at the client computer / end point to bypass the encryption protection of the Hushmail system.

So if Hushmail can turn over clear text emails, then why would the DEA use keyloggers in this case? It's a total conflict.

1) Hushmail has stated before that they never have access to your passphrase therefore no access to clear text data.

2) They will comply with subpeonas, but it's unknown wether their response in this case was clear text or encrypted text.


... I'm still curious...

If it was clear text then Hush is definetly not holding to their word about how their system works at least from their orgins....
 
Well this is an interestingly technically flawed article by George Spellwin on Hushmail.

The claims of the servers being offshore (reality: Vancouver) being imprevious to subpeona is completely incorrect. We have MLAT with Canada, and Hushmail is based out of Texas... they are subject to subpeona and will comply.

I am still not sure if they are providing clear text emails or not though. That would mean they are capturing pass phrases, in which case everyone should immediatley abandon ship:


2zgsxh3.jpg
 
From Hushmail, a descrption of how their webmail handles encryption.

https://www.hushmail.com/public_documents/Webmail Using the Hush Encryption Engine.pdf

A couple of important things to point out here:

1) As with any email encryption, headers are not encrypted. Meaning that Sender / Receipient are exposed as well as subject lines.

2) The encryption of the message body and attachments takes place at your computer therefore hushmail cannot access the contents even for response to subpeonas.


Unless Hushmail is flat out lying, they cannot provide clear text communications in response to a subpeona. Now if you are dumb enough to put information in the subject line or send to / from a non-PGP encrypted account your fucked. Plus no matter what - you are going to expose / leak some information based on sender / recevier information.

hsrpft.jpg


huhtfn.jpg




I sincerly doubt hushmail is lying about this, as the industry would have outted them x10 by now - especially Phil Zimmerman the guy who wrote PGP. That being said, it's entirely possible that the indictment was written that way to make it seem like hush was handing over clear text emails to induce fear in the steroid community.

In the end if you use a open PGP engine on your desktop, your better off IMO. But then - as in the MDMA case above - they are still gonna get you if they want you because they will put a keylogger like FBI's MagicLatern on your computer by breaking into your house if necessary.

You gotta be one paranoid sneaky mother fucker to be able to beat them at their game, that's apparent.
 
Sites like this one and others are way to easy to find. Go to google and type in steroids. I believe that's how I stumbled across this site. Everyone is so paranoid that LE is suddenly aware of whats going on...shit! LE has known about these sites, and I'm sure LE is on this and many other sites everyday checkin things out. Everyone is so open around here with info on labs,and names of labs etc. Then they get surprised when that lab gets busted. Come on people! BTW good post on hushmail jh1.
 
I'm under the impression that one way to send an email that can't be "sniffed" by systems like echelon is to convert your message to an image file like a TIF or JPG and send as an attachment.
 
triceptor said:
I'm under the impression that one way to send an email that can't be "sniffed" by systems like echelon is to convert your message to an image file like a TIF or JPG and send as an attachment.
Click to expand...


Theoretically echelon could also catch that, but it takes alot more horse power since it would have to actually OCR the text and read it in real time - which is much more processor intensive than reading plain text in real time.

Take that a step further, and you could put encrypted text in picture. Or take encrypted data and hide it amongst the data of a legitimate picture. See: steganography.

Realistically the way eschelon would have to handle even the most basic level or text in pictures would be to offload those communications, when detected to non-realtime systems. So detect in realtime, offload to farms dedicated to handling such processor intesive snooping allowing the regular systems to go about their business.
 
jh1 said:
This whole Hushmail thing has peaked my interest...

This is from 1999, an article about hushmail where the whole premise what that they didn't have access to the passphrase therefore couldn't unencrypt messages:




http://www.news.com/Firm-unveils-encrypted-free-email/2100-1023_3-226160.html


And I believe that to be true, especially back in 2003, when the encryption decryption engine was a local java applet that never sent your passphrase to their servers. Now you login directly via HTTP/S so you are sending your phrase over the wire - they could and apparently do store this.
Click to expand...

To the best of my knowledge, they still use java. Ostensibly, your passphrase is never transmitted outside of your machine, as long as the encryption/decryption is done using their Hush Encryption Engine, which runs as a java applet in one's browser. I suppose the only way to know for sure is to run a packet sniffer on one's connection while connected to Hushmail....

I just tested logging-in with a dummy account, even via https:; the Hush Encryption Engine still loads and appears to function normally. So, it would appear that https: does not automatically lead to your passphrase being sent over the wire to Hush's servers, where it can be captured/logged/sniffed.

Fidel Castro <[email protected]>
PGP Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
 
You must log in or register to reply here.

Similar threads

M
my domestic supply reddit review very fast!
Replies
18
Views
2K
Fella Finn
Fella Finn
K
eating berries for anti oxidants?
Replies
7
Views
528
ceo
ceo
R
napsgear I’m convinced has legit testosterone
Replies
12
Views
1K
Ulter
Ulter
pigsy
Approved Log My Training Cycle Diet Log
Replies
33
Views
3K
pigsy
pigsy
K
puritysourcelabs how long to get my crap
Replies
18
Views
2K
RoySimpson
RoySimpson
Top Bottom