Hushmail not as secure as previously thought?
After you have read what seems to be a million scene NFO’s you get used to the format. They all pretty much go ASCii art, Info, Description, Install Notes, Group Notes and then Greets. They also usually contain an email address in which they can be contacted as well. The scene favourite at the moment has got to be hushmail. Why is it a favourite of sceners? Well it offers privacy and security not found in other free email services, such as the use of PGP signatures which can be used to verify the sender of an email. At least 50% of scene email addresses have got to be hosted on hushmail because until recently it was believed that it was secure and allowed high level anonymity and no IP logging. The company proudly boosts that:
“Hushmail’s security cannot be broken or weakened by this government sponsored snooping software… The only way to decrypt or unscramble Hush messages is by using your passphrase when you open up your Hushmail account. Carnivore cannot decrypt your mail, and is therefore, powerless against messages sent between Hush users.”
However all this highly sophisticated software is useless when it was revealed by court document that hushmail (the company) willingly sent three CDs of decrypted emails to the US DEA as part of a mutual legal assistance treaty between the United States and Canada. This news will be embarrassing to the company which proudly boosts that its emails can not read by the authority’s. Now even though this case is about an anabolic steroid manufacture, this sort of “co-operation” could and most likely will affect scene groups and users who use hushmail thinking that they are secure when they could potentially be busted by the same company that promises to protect them. The company also recently admitted that unlike previously thought that it does indeed log IP addresses as well “to analyze market trends, gather broad demographic information, and prevent abuse of our services.” Not when requested by US authorities… eh?
Source: iTnews
Comments(49)
lololol ..
Nothing is secure nowadays.
You cant trust anyone but yourself now days. Lairs everywhere.:(
Slashdot also say they handed over the keys to decrypt the messages.
@2 [poo]
You can’t even trust yourself anymore…
who knows if they are getting paid off to give the scene emails and ips or any information to the riaa mpaa etc etc or anyother ho organization. looks like u should be looking for another email place…
@3
[pulls trigger, dies]
This is such old news from last week, if your going to report tech news or “Security” news don’t wait days to report!
It’s not old news to me. So I actually appreciate it instead of acting like I’m superior because I’m such a nerdy tool.
Thank You RLSlog.
The ability to encrypt an email is insignificant, next to the power of the DEA!
where in your source does it state they log ip addresses? i dont see any mention of that.
guess it stucks a 2×4 in the heads of peoples who see third world and chinese
doing conspiracy and spying everywhere…with friends like husmail who needs
ennemy
All your E-mail are belong to DEA
The company also recently admitted that unlike previously thought that it does indeed log IP addresses as well “to analyze market trends, gather broad demographic information, and prevent abuse of our services.” Not when requested by US authorities… eh?
read the whole thing number 10
next step will be rslog given our email ;email ( will not be shown ) (required)
in exchange of money and mr x selling us all for our racist comments
This probably WILL be distressing to release groups.
After all if they were the sort of n00bs who thought they had some sort of secure email where a corporation held your keys to start with, then that corporation using those keys to decrypt your emails (the only purpose of holding them) WILL come as a surprise.
It’s kind of like handing your car keys to a valet then recoiling in shock when you find out he used them to park your car. WTF did you think was the point of requiring your keys nimrod?
This isn’t even a question of something changing with Hushmail. When you say it is “not as secure as previously thought” the only problem there is why you thought a system with an explicitly stated backdoor was secure.
wtf we get no privacy at all anymore they should just sell computers and tvs with cams built in so the government can see us storke it to a free porn
lol just my thought
hilarious , 16
@16
Yeah man just wait for the global mandatory implants with GPS and shyt.
Oh, it just monitors the vital signs so that if your in trouble an ambulance will come. But what they don’t tell you that there is a small vial of neurotoxins in there.
Want secure email? Simple, just encrypt/decrypt the messages on your system with PGP rather than trusting a web site to do it for you and as Kelly Bundy would say “Viola!” secure email. Well, as secure as you can get in practical application.
USA: The home of the dollar and peoples lives and privacy are sold everyday without them even knowing.
if a scene grp is stoopid enough to use hush they deserv it
I’m with PGP on this one too.
Why can’t the groups put their public PGP keys on their .nfos and list a couple of email addresses? So what if one of the addresses gets compromised, no one can decrypt the stuff in it anyway.
if a machine like mentioned in dan brown’s digital fortress does exist, then no encryption will do to prevent the e-mails from getting snooped upon.
> Rekrul – November 18th, 2007 | 08:04
> “Want secure email? Simple, just encrypt/decrypt
> the messages on your system with PGP rather than
> trusting a web site to do it for you and as Kelly
> Bundy would say “Viola!” secure email. Well, as
> secure as you can get in practical application.”
Except privacy from sniffing content in transit wouldn’t be the goal here. Who cares what the email says if it came from moviepiracygroup@email.com ? It’s about movie piracy. It also came from the trail of email servers that lead back to your ISP’s, and therefor your identity.
The goal here would be anonymising the identity of the email owner. Anonymous remailers and nym accounts have been doing this for more than a decade, along with protecting the content and the users from every other real and theoretical attack imaginable.
In their case your emails are readable only by you, who you’ve sent them to is known only by you, who they’ve come from is known only by your recipient and the only way any of this is getting broken is if the NSA gets interested and spends several decades on trying to find out.
These are not for casual use. You spend the time maintaining these accounts if you *need* your email to be as secure as possible and trade off the kind of convenience that requires.
Anything short of that, it’s more convenient but not that secure. Simple.
hey i use hushmail. will my mum now find out about my ghey pr0n and such? thx bye.
We must keep in mind here that the e-mail address in these nfo’s is for contacting the scene only, the sender is the one taking the risk here.
I’m sure that the more private conversations and important data is not transmitted in this way and in fact is done through PGP etc.
In reality nothing is safe, but i’m pretty sure the e-mail addresses in nfos aren’t used for anything too private, we cannot assume it is.
@25 [tucker]
Yes.
She will.
@tucker
so what email service is the best?
hotmail is the best email
@29
LOL
Hotmail sucks bawlls.
@Mr. X, i think what you are trying to say is \”HotMale\”
@25
ROTFL
> JustGuessing – November 18th, 2007 | 09:07
> We must keep in mind here that the e-mail
> address in these nfo’s is for contacting
> the scene only, the sender is the one
> taking the risk here.
Er… no. That’s why they use hushmail in the first place and you don’t.
> In reality nothing is safe, but i’m pretty
> sure the e-mail addresses in nfos aren’t
> used for anything too private, we cannot
> assume it is.
Er… yeah you can assume that.
You can assume that whatever is in the email is read by the account owner. The content is irrelevant. You don’t need to tell someone in an email sensitive personal information, they can gather this themselves simply by you opening it.
cryptomail.org
why do people reply to comments about mothers catching you jerk off when there are replys (tank) that are actually giving relevant answeres to the questions this topic proposes. this is done with. dont use hush or leave a trail like an fool if your in the scene; surprise?
@NuZZ
..welscome to the world dude, i`ve been thinking about the implant thing for a while myself now, i can well see that happening,…
..there`s an old saying (well old to me) that military technology is always 25 years in advance of public technology..
…so satilitte`s can read your licence plate from space, the chips on your credit card can be read wirelessly, cold fusion is probably possible..
..it`s just nobody has told us yet..
http://en.wikipedia.org/wiki/ECHELON
…just proves what they`ve told us, and by my previous equasion it`s worse than that!
Windows is a surveillance tool for the CIA.
There is a backdoor so they can snoop on anyone who is of interest to them.
If you encrypt anything, you are considered guilty if you do not provide the decrypt key.
You will be incarcerated in Guntanamo with no charge forever.
The plane that crashed into the Pentagon was vaporized by burning kerosine!
Wake up people
@13 / blues: If you’re just gonna prove you’re a moron, why not shut up instead?
#10 / saywhat asked where in the writers SOURCE (iTnews) it said they logged IPs. Everyone can see it says so in the ARTICLE here on RlsLog!
If you’re gonna be a smartass, make sure you don’t appear dumb first!
#38
Have you checked the comments made on the source?
“Posted by Concerned, 18/11/2007 7:54:56 AM”
Comments made in articles are sometimes just as important as the article itself.
……………..
““Here is a better one. A Canadian company divulging personal data to U.S. law enforcement is a violation of Canadian law. “
From the complaint, it’s clear the Hushmail.com evidence was obtained via a MLAT, so actually the RCMP is the one interacting with Hushmail.com, not the US DEA.
What wasn’t mentioned in the article, is that not only was unencrypted email accessible to Hushmail.com, they are also logging and archiving IP addresses used to access mailboxes. So the Hushmail.com privacy statement:
“Web logs and cookies
Hush.com and Hushmail.com do log IP addresses to analyze market trends and gather broad demographic information for aggregate use.”
is at best “incomplete”, but one might argue outright fraudulent.
What’s not clear is how they obtained plain text eMails. If the details are accurate, and the product description complete, then the only way it could occur is if the product encrypts using 2 keys, one being a public key in which Hushmail.com holds the corresponding private key. Anything else, such as plaintext version existing anywhere in the chain, would invalidate any sort of security model. I’d like to hear from Hushmail.com on the process they maintain specifically to satisfy court orders, yet at the same time publish this statement:
“Does Hushmail have a “back door” so that people with a special key can decrypt any message?
Hushmail is compliant with the OpenPGP standard which does not have any backdoors in it. Your encrypted email cannot be decrypted without your own secret passphrase and private key.”
”
Posted by Concerned, 18/11/2007 7:54:56 AM
…………………
http://www.safe-mail.net/ is the way to go
@41
lol. how safe is safe mail though? who is to be trusted?
Only way you can truly trust something is if you work inside and know the exact inner workings of the system they use and what they do with your emails.
As seen with hushmail they advertise that its private!!! and fully secured, but they hand ya emails to government officials.
Nothing can be trusted anymore when it comes to the internet, can you even trust yourself? maybe we are all in a matrix and there are people manipulating us from above?!?!?!?! hahahaha
anyways jokes aside. If you are paranoid about the internet then just simply don’t use it. If you are paranoid about life then simply end it. hahaha XD
Just watch the movie Gattaca sooner or later a world like that will be born. Where everything is science based, and security is to a whole new level, where cyberspace mixes in with real life.
I read somewhere about this. Normally there is a an applet that runs on your computer to encrypt / decrypt messages. The applet is downloaded from Hushmail and set up by the user with the keys etc. However if you can’t be bothered / don’t know there is a n00b option where encryption / decryption is done at the server end however Hushmail then has your keys and the messages may or may not be secure in transit from your PC to Hushmail (depending on SSL connection.) I believe it was this n00b option that got busted. So the proper method should still have some security as long as the encryption applet is not compromised by some trojan etc…
@36
Adobe owns Cold Fusion
I agree with 26 & 39. Just because there’s an e-mail address in an nfo for contacting a scene, doesn’t mean the scene depends on it for all their communication, or that they even use it to reply. I’m sure if anyone is careful about their data transfer, it’s some of the scene, we can’t talk down on their methods when we don’t even know they are actually using.
Heard about it here first:
http://www.p2p-blog.com/item-410.html
“if you dont know anything about security you deserve to get caught n your butthole flamed by some govt gaaylords
ever heard of proxy tunnels? ever heard of running a transponder on a fluctuating cycle to seesaw your MAC address? ever heard of wireless hotspots? ever heard of … the list goes on and on and on”
Ok first off, i didnt know about any fluctuating cycle of transponders seesawing my MAC address. It sounds so techy, so it must be something cool. But after thinking a while, you mean just changing my mac address constantly ? Wow, that is some serious hi-tech information. It really helps the people, who have been wise enough to send private keys to some server when sending e-mails.
Wireless hotspots ? Tunneling ? What does it matter, if the person on the other end doesnt use these. Just take a situation of some group, you only need to get one of the people, and i bet the pressure is high enough to rat out the rest of the “sceners”.
Just think it yourself, if you would be in a group – if they offer you to get away more easily, would you not give away all your information ?
Privacy contains a lot more than just technical stuff.
Only 3 email addresses were affected and those were to do with drugs.. And anyway like 44 said, if you use the Java applet and do “client side” encryption you are still secure. The keys are never sent to the Hushmail server.
Read the interview with the Hushmail CTO here
http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
TOR & FireGPG
http://www.torproject.org/
http://firegpg.tuxfamily.org/
What secret police organisation wouldn’t want to set up a secure email company?