On 11/1/07, Jon Callas <[EMAIL PROTECTED]> wrote: > > I'm sorry, but that's a slur. Hushmail is not a scam. They do a very > good job of explaining what they do, what they cannot do, and against > which threats they protect. You may quibble all you want with its > *effectiveness* but they are not a scam. A scam is being dishonest.
I was unable to read the document discussed in the message that started this thread, so I retrieved the complaint in US v. Tyler Stumbo from PACER. I have placed it online at <http://www.parrhesia.com/stumbo_complaint.pdf>. In particular, the one of the passages referred to in the initial message states: ["Item #5"] A review of e-mails from e-mail address [EMAIL PROTECTED] between February 14, 2007 and May 17, 2007, revealed OSOCA filled 88 separate anabolic steroid orders for a total sale of $36,024.00. During a review of the e-mails, SA Shawn Riley identified OSOCA'S Chinese SOS for bulk powdered anabolic steroids as "GLP". GLP was using the email address [EMAIL PROTECTED] to communicate with OSOCA. The e-mails between [EMAIL PROTECTED] and [EMAIL PROTECTED] showed there were two shipments of bulk powdered anabolic steroids from GLP to OSOCA. Both orders were sent to Tyler STUMBO at 9530 Hageman; Suite B #192, Bakersfield, CA. An address check revealed 9530 Hageman, Suite B, Bakersfield, CA is a UPS Store. [end quoted material] According to Hushmail's "About -> How Hushmail Works" page at Figure 1, "The user's passphrase encrypts and decrypts the user's private key so that no one but the user ever has access to it. Not even Team Hush." At Figure 4, same page, Hushmail states " [...] The email may only be decrypted by using the one-time message key. * The message key can only be decrypted by using the recipient's private key. * The recipient's private key can only be decrypted by entering the recipient's personal passphrase." At Figure 5, same page, Hushmail states "So, not only is the email securely coded before it is ever stored on a server, but the key to decode the email is also encoded. Further, the private key needed to decrypt this key is also encrypted. Only the recipient can retrieve their private key by entering their secret personal passphrase." On the page "About -> The Need For Hushmail", Hushmail states "[...] By contrast, Hushmail keeps your online communications private and secure. Not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer. A Hushmail account lets you communicate in total security with any other Hush member or PGP-compatible email user anywhere in the world." In its "Hush Encryption Engine White Paper" available at <https://www.hushmail.com/public_documents/Hush%20Encryption%20Engine%20White%20Paper.pdf>, Hushmail states on page 4: "When the Private Key is residing on a Hush Key Server, it is encrypted with a passphrase. That passphrase never leaves the user's computer. Hence, at no point is the Private Key or any private data ever accessible to anyone at Hush. As long as you have a good, strong passphrase, even if Team Hush tried, we couldn't get your Private Key. Furthermore, even if the company were subpoenaed by a court of law, a private key wouldn't be accessible. This can be verified by reviewing our published source code at http://www.hush.ai/."; In its "Webmail Using The Hush Encryption Engine" document available at <https://www.hushmail.com/public_documents/Webmail%20Using%20the%20Hush%20Encryption%20Engine.pdf> at page 3, Hushmail states: "Hushmail fulfills the following requirements: [...] 3. Private keys and private data may only be decrypted on the client computer, never on any server." In the introductory e-mail sent to new Hushmail users, Hushmail states: "Hushmail users can send encrypted email to anybody with an email address. If the recipient of your email is another Hushmail or PGP user, the encryption will take place automatically without any action on your part." As a longtime paid Hushmail user, I am surprised to learn that it is possible to send email to another Hushmail user which is accessible to Hushmail corporate employees and, by extension, the Canadian government, and any organization they choose to cooperate with. I was unable to identify the Hushmail documentation which would explain the company's ability to comply with the MLAT requests as demonstrated in the Stumbo matter. I was able identify a number of statements which would lead the average reader to conclude that the company is unable to provide the sort of cooperation discussed in the Stumbo complaint. I agree that it is possible that one or both of the correspondents in the Stumbo case used a weak passphrase which was susceptible to a dictionary attack. I would be surprised to learn that Hush Communication actively engages in dictionary attacks versus its users at the request of the Canadian government. If that is the case, this would seem to go beyond an obligation to merely turn over existing information, and become active participation in an attempt to subvert the security of communication between Hushmail users. -- Greg Broiles, JD, LLM Tax, EA [EMAIL PROTECTED] (Lists only. Not for confidential communications.) Legacy Planning Law Group San Jose, CA California Estate Planning Blog: http://www.estateplanblog.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
