Re: Hushmail CTO interviewed (Re: Hushmail in U.S. v. Tyler Stumbo)
http://blog.wired.com/27bstroke6/hushmail-privacy.html I was impressed by Hushmail?s candor in the above email exchange. They generally have been open with their statements. OTOH I was quite disappointed, actually worse than that, about the content of their answers. Hushmail seemed to have a philosophy of doing things ?right?. They developed a product based upon strong, peer reviewed algorithms, used well known, common and trusted PGP as a design, created an open source implementation, moved ?encryption for the masses? closer to reality by addressing some of the inconveniences of PKI, located their servers in areas outside of the US, were open in discussing the threat models, trust models, design and implementation, had people associated with them who were known for their commitment to privacy, were adamant about not allowing Carnivore to be attached to their systems, were open about complying with court orders by saying that the stored data would be turned over, but that emails which used PGP in some form would only be available in encrypted form. For all the Snake Oil out there, Hushmail seemed to at least have the right attitude and philosophy; they ?got it?. Now it appears that this attitude and philosophy have changed. They didn?t just passively turn over stored encrypted data in complying with court requests, but have, at the very least, allowed, and much more likely, assisted in the compromising of their own systems. The first decision was to allow a version which exposed the passphrase on their servers and make it the default configuration. This opened things up for the second decision, to modify their own systems to provide access to the very limited window and then actively collect cleartext during this small window. It would be one thing to find out that Hushmail had lax security and their systems had been hacked. But to find out that that Hushmail had hacked their own systems, had actively compromised their own servers in direct violation of the purpose of their business is quite a betrayal. One not just of the user, but of principle. I know that Phillip Zimmerman was associated with Hushmail for at least some portion of time. IMHO these actions by Hushmail are in strong contrast to his essay, ?Why I Wrote PGP.? and are much more in line with the linking of Donald Kerr, the principal deputy director of [US] national intelligence, ?Privacy no longer can mean anonymity ?Instead, it should mean that government and businesses properly safeguard people's private communications and financial information.? http://www.cnn.com/2007/POLITICS/11/11/terrorist.surveillance.ap/ind ex.html Furthermore, I conjecture that the complicity of Hushmail has significantly weakened the entire PGP system. The active compromising of their servers and weak implementation of PGP provides an opening for organizations to look at the contents of PGP?d email which has been sent to a Hushmail user. The PGP community may now assume that the passphrases of any Hushmail user have been compromised. The number of Hushmail users means that the affect to the PGP system is much greater than a keylogger installed on a single PGP users machine. rearden On Thu, 08 Nov 2007 14:41:35 -0500 Sidney Markowitz [EMAIL PROTECTED] wrote: There's an informative article in a Wired blog in which Hushmail CTO Brian Smith provides some information that hints at what happened in this case, although he would not speak specifically about the case. See http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html His implication is that the target was using their simplified version of Hushmail that encrypts on the server, using an SSL connection to send passphrase from the client to the server then providing an interface similar to ordinary webmail. The court order may have required Hushmail to save and hand over the password and/or the decrypted mail. Since Brian Smith would not say exactly what happened in this case, we can't tell if they modified the system to save the target's password the next time they used it and handed that over along with historical stored encrypted mail, or if the modification was to save unencrypted mail sent after the court order was received, or something else I haven't thought of. In any case, Smith said that Hushmail only complies with court orders that target specific accounts and would not take any action that would affect users not specifically targeted by a court order. My reading of Smith's statements in interview is that Hushmail would be subject to a court order requiring them to supply a hacked Java applet to someone who is using their Java based client-side encryption. There is no doubt that would be technically feasible, it is mentioned and would fall within the guidelines for court orders that Smith said that Hushmail would comply with. --- -- The
Re: forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)
Adam Back wrote: On Fri, Nov 02, 2007 at 06:23:30PM +0100, Ian G wrote: I was involved in one case where super-secret stuff was shared through hushmail, and was also dual encrypted with non-hushmail-PGP for added security. In the end, the lawyers came in and scarfed up the lot with subpoenas ... all the secrets were revealed to everyone they should never have been revealed to. We don't have a crypto tool for embarrassing secrets to fade away. What about deleting the private key periodically? Like issue one pgp sub-key per month, make sure it has expiry date etc appropriately, and the sending client will be smart enough to not use expired keys. Need support for that kind of thing in the PGP clients. And hope your months key expires before the lawyers get to it. Companies have document retention policies for stuff like this... dictating that data with no current use be deleted within some time-period to avoid subpoenas reaching back too far. Hi Adam, many people have suggested that. On paper, it looks like a solution to the problem, at least to us. I think however it is going to require quite significant support from the user tools to do this. That is, the user application is going to have to manage the sense of lifetime over the message. One tool that does approach this issue at least superficially is Skype. It can be configured to save chat messages for different periods of time, I have mine set to around 2 weeks currently. But, then we run slap-bang into the problem that the *other* client also keeps messages. How long are they kept for? I'm not told, and of course even if I was told, we can all imagine the limitations of that. I hypothesise that it might be possible to use contracts to address this issue, at least for a civil-not-criminal scope. That is, client software could arrange a contractual exchange between Alice and Bob where they both agree to keep messages for X weeks, and if not, then commitments and penalties might apply. Judges will look at contracts like that and might rule the evidence out of court, in a civil dispute. OK, so we need a lawyer to work that out, and I'm definately whiteboarding here, I'm not sure if the solution is worth the effort. Which is why I am skeptical of schemes like delete the private key periodically. Unless we solve or address the counterparty problem, it just isn't worth the effort to be totally secure on our own node. We know how to do invisible ink in cryptography. How do we do its converse, fading ink? iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)
an G wrote: I was involved in one case where super-secret stuff was shared through hushmail, and was also dual encrypted with non-hushmail-PGP for added security. In the end, the lawyers came in and scarfed up the lot with subpoenas ... all the secrets were revealed to everyone they should never have been revealed to. We don't have a crypto tool for embarrassing secrets to fade away. Adam Back wrote: What about deleting the private key periodically? Mail should have the following security properties: Mail that appears to come from an entity really did come from that entity. Though the recipient can prove to himself the mail came from that sender, he cannot prove it to third parties unless the sender cooperates. If the sender and the recipient discard their copies, that mail is gone forever. No one can reconstruct it, even though they have a complete record of the bits passed between the sender and recipient and complete access at a later date to the machines of the sender and recipient and the complete cooperation, possibly under extreme duress, of both sender and recipient. If the sender or the recipient keep a copy that they can access, then the guys with rubber hoses can shake it out of them, but they can only see this stuff with the cooperation, possibly under duress, of the sender or the recipient - and they only have the sender or the recipients word that this is the real stuff. If the recipient deleted his stuff, and the guys with rubber hoses look at the sender's sent box, they cannot know it is the original and unmodified sent box, and vice versa for the recipient's in box. We have the technology to accomplish all this, but not with the present store and forward architecture. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Hushmail in U.S. v. Tyler Stumbo
StealthMonger wrote: [snip] The larger truth is that a consequence of using Hushmail is that record of when, with whom, and the size of each communication is available to Hush, even though the content is concealed. So the obvious point is that Hushmail, and systems like it, become concentrators and possible single points of failure. If, on the other hand, you handled your own PKI to send symmetrical keys to your correspondents and managed the keys with something like StrongKey, then one could use a vast number of ISPs/SMTP points so that they may never get a clear path of send and reply through a single ISP. As Jon Callas said, If the system is strong, it all comes down to your operational security. Security is not a thing, it is a process that uses tools and procedures to accomplish the goal. As I like to say, Security is lot like democracy - everyone's for it but few understand that you have to work at it constantly. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Hushmail in U.S. v. Tyler Stumbo
I don't know anything about this case, so everything I say is pure supposition. Let's suppose you have Alice and Bob who are working together on some sort of business, and they are using some OpenPGP [1] software to encrypt their emails that pertain to that business. Let's suppose that the authorities then decide to raid Bob. Let us then suppose that they go to Alice's ISP and get a lot of encrypted email, by warrant, subpoena, etc. It doesn't matter for our purposes what ISPs Alice and Bob are using, nor what OpenPGP software they are using. * Let us consider the case where Bob turns state's evidence. If those emails were encrypted to both Alice's key and Bob's key, after Bob turns state's evidence, the authorities can decrypt all the messages they seized from Alice's ISP. It doesn't matter what Alice did with her key or what Alice's ISP did with it. They can be decrypted because Bob's key has been compromised. * Let us consider the same basic scenario where all the messages are encrypted to the sender's, but not the recipient's key. In this case, the authorities can decrypt all of Alice's messages to Bob, but not Bob's messages to Alice. After they have compromised Bob, all of Alice's messages to Bob can be decrypted. The fact that Alice's security is untouched is mostly irrelevant. Alice is likely toast, not because of the cryptography, but because Bob has been compromised, and Bob's key decrypts mail Alice has sent. * Let us consider a slightly different scenario in which neither Alice nor Bob are compromised, but Bob is detained. If the authorities raid Alice's ISP, despite the fact that they cannot decrypt the messages, they may be able to show a connection between Alice and Bob. If they have been CCing themselves, then you'll find the same undecryptable message in each mailbox. If they have been using reply, there's probably metadata in the plaintext headers that shows that M_n is a reply to M_{n-1} ... M_1, and thus you have a chain of messages. If there is other evidence, such as Bob sending checks to Alice every so often, the cryptography may be moot or worse than moot. (If those messages are harmless, why don't you decrypt them? Yes, this can get into many interesting discussions like the applicability of Amendments 4 and 5, but these are also not cryptographic. I really don't want to discuss them because I'll bet we agree.) Cryptography is not magic pixie dust that you can sprinkle on a security problem and make it go away. If your adversary is a major national government, you have operational security issues, as well. If your adversary is a major national government that has direct authority over where you live, then you have a much larger problem. The adversary is going to use forensic analysis, traffic analysis, and anything else they can think of. They are also not dumb. You also have to expect that third parties, including ISPs, are unlikely to see why they should fail to comply with legal documents like subpoenas and warrants because of what you did. Smart cryptographers make sure there are no backdoors in the crypto, because if there were, then every beat cop and two-bit mafioso will want you to break just that one message -- or else. If the system is strong, it all comes down to your operational security. Jon [1] I have to give a now-usual rant. PGP is a trademark of PGP Corporation and refers to software it makes. OpenPGP is an IETF standard that covers encryption, certificates, and digital signatures. There are many products that implement the OpenPGP standard. PGP software is one of those. But other products, such as GnuPG, Hushmail, Bouncy Castle, and so on also implement the OpenPGP standard. Futhermore, PGP software implements other standards than OpenPGP. For example, PGP software implements the S/MIME and X.509 standards as well as the OpenPGP standard. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Hushmail in U.S. v. Tyler Stumbo
On Nov 1, 2007, at 10:49 AM, John Levine wrote: Since email between hushmail accounts is generally PGPed. (That is the point, right?) Hushmail is actually kind of a scam. In its normal configuration, it's in effect just webmail with an HTTPS connection and a long password. It will generate and verify PGP signatures and encryption for mail it sends and receives, but they generate and maintain their users' PGP keys. There's a Java applet that's supposed to do end to end encryption, but since it's with the same key that Hushmail knows, what's the point? I'm sorry, but that's a slur. Hushmail is not a scam. They do a very good job of explaining what they do, what they cannot do, and against which threats they protect. You may quibble all you want with its *effectiveness* but they are not a scam. A scam is being dishonest. You also mischaracterize the Hushmail system. The classic Hushmail does not generate the keys, and while it holds them, they're encrypted. The secrets Hushmail holds are as secure as the end user's operational security. I know what you're going to say next. People pick bad passphrases, etc. Yes, you're right. That is not being a scam. They have another system that is more web-service oriented, and they explain it on their web site far better than I could. It has further limitations in security but with increased usability. It is also not a scam. Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]