Re: Hushmail CTO interviewed (Re: Hushmail in U.S. v. Tyler Stumbo)

[auto37159]

http://blog.wired.com/27bstroke6/hushmail-privacy.html

I was impressed by Hushmail?s candor in the above email exchange.  
They generally have been open with their statements.  OTOH I was 
quite disappointed, actually worse than that, about the content of 
their answers.  Hushmail seemed to have a philosophy of doing 
things ?right?.  They developed a product based upon strong, peer 
reviewed algorithms, used well known, common and trusted PGP as a 
design, created an open source implementation, moved ?encryption 
for the masses? closer to reality by addressing some of the 
inconveniences of PKI, located their servers in areas outside of 
the US, were open in discussing the threat models, trust models, 
design and implementation, had people associated with them who were 
known for their commitment to privacy, were adamant about not 
allowing Carnivore to be attached to their systems, were open about 
complying with court orders by saying that the stored data would be 
turned over, but that emails which used PGP in some form would only 
be available in encrypted form.  For all the Snake Oil out there, 
Hushmail seemed to at least have the right attitude and philosophy; 
 they ?got it?.

Now it appears that this attitude and philosophy have changed.  
They didn?t just passively turn over stored encrypted data in 
complying with court requests, but have, at the very least, 
allowed, and much more likely, assisted in the compromising of 
their own systems.  The first decision was to allow a version which 
exposed the passphrase on their servers and make it the default 
configuration.  This opened things up for the second decision, to 
modify their own systems to provide access to the very limited 
window and then actively collect cleartext during this small 
window.  It would be one thing to find out that Hushmail had lax 
security and their systems had been hacked.  But to find out that 
that Hushmail had hacked their own systems, had actively 
compromised their own servers in direct violation of the purpose of 
their business is quite a betrayal.  One not just of the user, but 
of principle.

I know that Phillip Zimmerman was associated with Hushmail for at 
least some portion of time.  IMHO these actions by Hushmail are in 
strong contrast to his essay, ?Why I Wrote PGP.?  and are much more 
in line with the linking of Donald Kerr, the principal deputy 
director of [US] national intelligence,  ?Privacy no longer can 
mean anonymity ?Instead, it should mean that government and 
businesses properly safeguard people's private communications and 
financial information.?  
http://www.cnn.com/2007/POLITICS/11/11/terrorist.surveillance.ap/ind
ex.html

Furthermore, I conjecture that the complicity of Hushmail has 
significantly weakened the entire PGP system.  The active 
compromising of their servers and weak implementation of PGP 
provides an opening for organizations to look at the contents of 
PGP?d email which has been sent to a Hushmail user.  The PGP 
community may now assume that the passphrases of any Hushmail user 
have been compromised.  The number of Hushmail users means that the 
affect to the PGP system is much greater than a keylogger installed 
on a single PGP users machine. 

rearden

On Thu, 08 Nov 2007 14:41:35 -0500 Sidney Markowitz 
<[EMAIL PROTECTED]> wrote:
>There's an informative article in a Wired blog in which Hushmail 
>CTO
>Brian Smith provides some information that hints at what happened 
>in
>this case, although he would not speak specifically about the 
>case.
>
>See http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
>
>His implication is that the target was using their simplified 
>version of
>Hushmail that encrypts on the server, using an SSL connection to 
>send
>passphrase from the client to the server then providing an 
>interface
>similar to ordinary webmail. The court order may have required 
>Hushmail
>to save and hand over the password and/or the decrypted mail. 
>Since
>Brian Smith would not say exactly what happened in this case, we 
>can't
>tell if they modified the system to save the target's password the 
>next
>time they used it and handed that over along with historical 
>stored
>encrypted mail, or if the modification was to save unencrypted 
>mail sent
>after the court order was received, or something else I haven't 
>thought
>of. In any case, Smith said that Hushmail only complies with court
>orders that target specific accounts and would not take any action 
>that
>would affect users not specifically targeted by a court order.
>
>My reading of Smith's statements in interview is that Hushmail 
>would be
>subject to a court order requiring them to supply a hacked Java 
>applet
>to someone who is using their Java based client-side encryption. 
>There
>is no doubt that would be technically feasible, it is mentioned  
>and
>would fall within the guidelines for court orders that Smith said 
>that
>Hushmail would comply with.
>
>

Hushmail CTO interviewed (Re: Hushmail in U.S. v. Tyler Stumbo)

[Sidney Markowitz]

There's an informative article in a Wired blog in which Hushmail CTO
Brian Smith provides some information that hints at what happened in
this case, although he would not speak specifically about the case.

See http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html

His implication is that the target was using their simplified version of
Hushmail that encrypts on the server, using an SSL connection to send
passphrase from the client to the server then providing an interface
similar to ordinary webmail. The court order may have required Hushmail
to save and hand over the password and/or the decrypted mail. Since
Brian Smith would not say exactly what happened in this case, we can't
tell if they modified the system to save the target's password the next
time they used it and handed that over along with historical stored
encrypted mail, or if the modification was to save unencrypted mail sent
after the court order was received, or something else I haven't thought
of. In any case, Smith said that Hushmail only complies with court
orders that target specific accounts and would not take any action that
would affect users not specifically targeted by a court order.

My reading of Smith's statements in interview is that Hushmail would be
subject to a court order requiring them to supply a hacked Java applet
to someone who is using their Java based client-side encryption. There
is no doubt that would be technically feasible, it is mentioned  and
would fall within the guidelines for court orders that Smith said that
Hushmail would comply with.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

[Ian G]

Adam Back wrote:

On Fri, Nov 02, 2007 at 06:23:30PM +0100, Ian G wrote:

I was involved in one case where super-secret stuff was shared
through hushmail, and was also dual encrypted with non-hushmail-PGP
for added security.  In the end, the lawyers came in and scarfed up
the lot with subpoenas ... all the secrets were revealed to everyone
they should never have been revealed to.  We don't have a crypto
tool for embarrassing secrets to fade away.


What about deleting the private key periodically?

Like issue one pgp sub-key per month, make sure it has expiry date etc
appropriately, and the sending client will be smart enough to not use
expired keys.

Need support for that kind of thing in the PGP clients.

And hope your months key expires before the lawyers get to it.

Companies have document retention policies for stuff like
this... dictating that data with no current use be deleted within some
time-period to avoid subpoenas reaching back too far.



Hi Adam,

many people have suggested that.  On paper, it looks like a 
solution to the problem, at least to us.


I think however it is going to require quite significant 
support from the user tools to do this.  That is, the user 
application is going to have to manage the sense of lifetime 
over the message.


One tool that does approach this issue at least 
superficially is Skype.  It can be configured to save chat 
messages for different periods of time, I have mine set to 
around 2 weeks currently.


But, then we run slap-bang into the problem that the *other* 
client also keeps messages.  How long are they kept for? 
I'm not told, and of course even if I was told, we can all 
imagine the limitations of that.


I hypothesise that it might be possible to use contracts to 
address this issue, at least for a civil-not-criminal scope. 
 That is, client software could arrange a contractual 
exchange between Alice and Bob where they both agree to keep 
messages for X weeks, and if not, then commitments and 
penalties might apply.  Judges will look at contracts like 
that and might rule the evidence out of court, in a civil 
dispute.


OK, so we need a lawyer to work that out, and I'm definately 
whiteboarding here, I'm not sure if the solution is worth 
the effort.


Which is why I am skeptical of schemes like "delete the 
private key periodically."  Unless we solve or address the 
counterparty problem, it just isn't worth the effort to be 
totally secure on our own node.


We know how to do invisible ink in cryptography.  How do we 
do its converse, fading ink?


iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

[James A. Donald]

an G wrote:
>> I was involved in one case where super-secret stuff
>> was shared through hushmail, and was also dual
>> encrypted with non-hushmail-PGP for added security.
>> In the end, the lawyers came in and scarfed up the
>> lot with subpoenas ... all the secrets were revealed
>> to everyone they should never have been revealed to.
>> We don't have a crypto tool for embarrassing secrets
>> to fade away.

Adam Back wrote:
> What about deleting the private key periodically?

Mail should have the following security properties:

Mail that appears to come from an entity really did come
from that entity.

Though the recipient can prove to himself the mail came
from that sender, he cannot prove it to third parties
unless the sender cooperates.

If the sender and the recipient discard their copies,
that mail is gone forever.  No one can reconstruct it,
even though they have a complete record of the bits
passed between the sender and recipient and complete
access at a later date to the machines of the sender and
recipient and the complete cooperation, possibly under
extreme duress, of both sender and recipient.

If the sender or the recipient keep a copy that they can
access, then the guys with rubber hoses can shake it out
of them, but they can only see this stuff with the
cooperation, possibly under duress, of the sender or the
recipient - and they only have the sender or the
recipients word that this is the real stuff.  If the
recipient deleted his stuff, and the guys with rubber
hoses look at the sender's sent box, they cannot know it
is the original and unmodified sent box, and vice versa
for the recipient's in box.

We have the technology to accomplish all this, but not
with the present store and forward architecture.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Allen]

StealthMonger wrote:
[snip]


The larger truth is that a consequence of using Hushmail is that
record of when, with whom, and the size of each communication is
available to Hush, even though the content is concealed.


So the obvious point is that Hushmail, and systems like it, 
become "concentrators" and possible single points of failure.


If, on the other hand, you handled your own PKI to send 
symmetrical keys to your correspondents and managed the keys with 
something like StrongKey, then one could use a vast number of 
ISPs/SMTP points so that they may never get a clear path of send 
and reply through a single ISP.


As Jon Callas said, "If the system is strong, it all comes down 
to your operational security."


Security is not a thing, it is a process that uses tools and 
procedures to accomplish the goal. As I like to say, "Security is 
lot like democracy - everyone's for it but few understand that 
you have to work at it constantly."


Best,

Allen


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

[Jon Callas]

What about deleting the private key periodically?

Like issue one pgp sub-key per month, make sure it has expiry date etc
appropriately, and the sending client will be smart enough to not use
expired keys.

Need support for that kind of thing in the PGP clients.


Forgive the additional nag, but that is OpenPGP clients. PGP clients  
are my software. Mind you, I'm in favor of it, but (e.g.) Hushmail is  
not a PGP client. It has nothing to do with PGP Corporation.




And hope your months key expires before the lawyers get to it.

Companies have document retention policies for stuff like
this... dictating that data with no current use be deleted within some
time-period to avoid subpoenas reaching back too far.



Well, we had some good news this weekend that RFC 4880, the updated  
RFC 2440 is finally published. The OpenPGP working group has other  
work it would like to do, including Perfect Forward Secrecy.


Jon

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

[Adam Back]

On Fri, Nov 02, 2007 at 06:23:30PM +0100, Ian G wrote:
> I was involved in one case where super-secret stuff was shared
> through hushmail, and was also dual encrypted with non-hushmail-PGP
> for added security.  In the end, the lawyers came in and scarfed up
> the lot with subpoenas ... all the secrets were revealed to everyone
> they should never have been revealed to.  We don't have a crypto
> tool for embarrassing secrets to fade away.

What about deleting the private key periodically?

Like issue one pgp sub-key per month, make sure it has expiry date etc
appropriately, and the sending client will be smart enough to not use
expired keys.

Need support for that kind of thing in the PGP clients.

And hope your months key expires before the lawyers get to it.

Companies have document retention policies for stuff like
this... dictating that data with no current use be deleted within some
time-period to avoid subpoenas reaching back too far.

Adam

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Leichter, Jerry]

In previous cases of the government somehow magically gaining access to
"securely encrypted" data, it eventually turned out that the government
had compromised the target's machine and installed a key logger, or some
other piece of software to record the relevant secret information.  So
far, I've seen no information ruling this kind of thing out.  It's in
the government's interest to keep its methodology as secret and
mysterious as it can.

A common mistake is looking at PGP or Hushmail or some other kind of
secure mail system and saying "only I can read my my mail.  Not even
close to true:  Unless you're doing all your decryption with a pencil
and a piece of paper, it's your *computer* that can read your mail.
And today's computers simply cannot be treated as trusted.

None of which argues against alternative possible scenarios, such as
the "turned" correspondent at the other end of the mail interchange.
The fact is, we just don't know how this information was obtained.

We *may* learn more as the result of discovery leading up to trial.
It's generally difficult for the government to keep out of the record
the methods they use to obtain evidence, as doing so will tend to
taint the evidence and make it inadmissible.  I'm sure there are
plenty of lawyers looking closely at how to struture things to keep
as many details hidden as possible, however.  The fact that information
came from a "confidential informant" has to be revealed, but the
identify of that informant can generally be kept concealed.  Someone
will argue that the decrypted data plays the role of the "confidential
informant"
-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[travis+ml-cryptography]

On Tue, Oct 30, 2007 at 12:27:53PM -0400, [EMAIL PROTECTED] wrote:
> I stumbled across this filing:
> http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p
> rod_affiliate.25.pdf

I probably shouldn't say anything about this, but whoever made this
PDF failed to properly redact the personal information in #10, just
like the NYT failed to do with the names of the people who helped the
US in Iran.

I can simply switch desktops and see the numbers underneath before the
rectangles are drawn over them (possibly on another layer).  Actually
the box on #14 seems to work, possibly because it is larger, or was
done differently.

> What I found interesting was:
> 1.  The amount of data which Hushmail was required to turn over to
> the US DEA relating to 3 email addresses.  3 + 9 = 12 CDs  What
> kind of and for what length of time does Hushmail store logs?

You would think that they would store the minimum or none, so that
they didn't have to answer such requests.  In the US, companies can
require compensation for resources spent filling these requests, but
many do not for fear of increased scrutiny by law enforcement.

I have been around when my department at a Usenet server had to fill
these kinds of requests on posts from people selling GHB or something
like that.  They pretty much write their subpoenas as wide as
possible, pretty much "any record you have about..." and then they
give you every relevant piece of identifying information they have.  I
think you have to swear under penalty that you got them everything.
Sorry bro

IIRC, there were laws passed in Europe dictating minimum retention
times for ISPs and such.  They may have been passed in Canada and the
US as well.  I guess the legal theory is that when a business offers
services to the public they give up some rights over private property.

Probably they did the minimum work to comply, which means that the
CDs are either mostly empty, or full of unrelated data.

> 2.  That items #5 and #15 indicated that the _contents_ of emails
> between several Hushmail accounts were "reviewed".

Yep.

> 3.  The request was submitted to the ISP for IP addresses related
> to a specific hushmail address (#9).  How would the ISP be able to
> link a specific email address to an IP when Hushmail uses SSL/TLS
> for both web and POP3/IMAP interfaces?

It appears he used IP addresses gathered from #4.

> Since email between hushmail accounts is generally PGPed.  (That is
> the point, right?)  And the MLAT was used to establish probable
> cause, I assume that the passphrases were not squeezed out of the
> plaintiff.  How did the contents get divulged?

My guess is that Hushmail has had subpoenas before and had to develop
and install a modified java applet which captures the passphrase when
the user enters it.  With that and the stored keys, it can decrypt all
the stored communications.

If that's true, I wouldn't expect them to trumpet it, since it would
mostly negate their value proposition.
-- 
Life would be so much easier if it was open-source.
http://www.subspacefield.org/~travis/> Eff the ineffable!
For a good time on my UBE blacklist, email [EMAIL PROTECTED]


pgpZ2FLxvXa1Y.pgp
Description: PGP signature

Re: Hushmail in U.S. v. Tyler Stumbo

[Greg Broiles]

On 11/1/07, Jon Callas <[EMAIL PROTECTED]> wrote:
>
> I'm sorry, but that's a slur. Hushmail is not a scam. They do a very
> good job of explaining what they do, what they cannot do, and against
> which threats they protect. You may quibble all you want with its
> *effectiveness* but they are not a scam. A scam is being dishonest.

I was unable to read the document discussed in the message that
started this thread, so I retrieved the complaint in US v. Tyler
Stumbo from PACER. I have placed it online at
.

In particular, the one of the passages referred to in the initial
message states:

["Item #5"]
A review of e-mails from e-mail address [EMAIL PROTECTED] between
February 14, 2007 and May 17, 2007, revealed OSOCA filled 88 separate
anabolic steroid orders for a total sale of $36,024.00. During a
review of the e-mails, SA Shawn Riley identified OSOCA'S Chinese SOS
for bulk powdered anabolic steroids as "GLP". GLP was using the email
address [EMAIL PROTECTED] to communicate with OSOCA. The
e-mails between [EMAIL PROTECTED] and
[EMAIL PROTECTED] showed there were two shipments of bulk
powdered anabolic steroids from GLP to OSOCA. Both orders were sent to
Tyler STUMBO at 9530 Hageman; Suite B #192, Bakersfield, CA. An
address check revealed 9530 Hageman, Suite B, Bakersfield, CA is a UPS
Store.

[end quoted material]

According to Hushmail's "About -> How Hushmail Works" page at Figure
1, "The user's passphrase encrypts and decrypts the user's private key
so that no one but the user ever has access to it. Not even Team
Hush."

At Figure 4, same page, Hushmail states "[...] The email may only
be decrypted by using the one-time message key.
* The message key can only be decrypted by using the recipient's
private key.
* The recipient's private key can only be decrypted by entering
the recipient's personal passphrase."

At Figure 5, same page, Hushmail states "So, not only is the email
securely coded before it is ever stored on a server, but the key to
decode the email is also encoded. Further, the private key needed to
decrypt this key is also encrypted. Only the recipient can retrieve
their private key by entering their secret personal passphrase."

On the page "About -> The Need For Hushmail", Hushmail states "[...]
By contrast, Hushmail keeps your online communications private and
secure. Not even a Hushmail employee with access to our servers can
read your encrypted email, since each message is uniquely encoded
before it leaves your computer. A Hushmail account lets you
communicate in total security with any other Hush member or
PGP-compatible email user anywhere in the world."

In its "Hush Encryption Engine White Paper" available at
,
Hushmail states on page 4: "When the Private Key is residing on a Hush
Key Server, it is encrypted with a passphrase. That passphrase never
leaves the user's computer. Hence, at no point is the Private Key or
any private data ever accessible to anyone at Hush. As long as you
have a good, strong passphrase, even if Team Hush tried, we couldn't
get your Private Key.

Furthermore, even if the company were subpoenaed by a court of law, a
private key wouldn't be accessible. This can be verified by reviewing
our published source code at http://www.hush.ai/.";

In its "Webmail Using The Hush Encryption Engine" document available
at 

 at page 3, Hushmail states: "Hushmail fulfills the following
requirements: [...] 3. Private keys and private data may only be
decrypted on the client computer, never on any server."

In the introductory e-mail sent to new Hushmail users, Hushmail
states: "Hushmail users can send encrypted email to anybody with an
email address.  If the recipient of your email is another Hushmail or
PGP user, the encryption will take place automatically without any
action on your part."

As a longtime paid Hushmail user, I am surprised to learn that it is
possible to send email to another Hushmail user which is accessible to
Hushmail corporate employees and, by extension, the Canadian
government, and any organization they choose to cooperate with. I was
unable to identify the Hushmail documentation which would explain the
company's ability to comply with the MLAT requests as demonstrated in
the Stumbo matter. I was able identify a number of statements which
would lead the average reader to conclude that the company is unable
to provide the sort of cooperation discussed in the Stumbo complaint.

I agree that it is possible that one or both of the correspondents in
the Stumbo case used a weak passphrase which was susceptible to a
dictionary attack. I would be surprised to learn that Hush
Communication actively engages in dictionary attacks versus its users
at the request of the Canadian government. If that is the case, this
would

Re: Hushmail in U.S. v. Tyler Stumbo

[Dave Howe]

[EMAIL PROTECTED] wrote:
Maybe this is off topic, but I think it does relate to the 
implementation of cryptography.


I stumbled across this filing:  
http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p

rod_affiliate.25.pdf

relating to a drug case where the defendant and others used 
Hushmail.


For an earlier case where the defendents used Hushmail, we have:

http://www.news.com/8301-10784_3-9741357-7.html

Posted in July by Declan McCullagh of Politech fame

I suspect we are just seeing the same invasive keylogging techniques 
trickling down to steroid abuse as have been previously used for more 
high profile drug barons


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[John Levine]

>In practice, the larger danger with email is that the high-profile
>threats to email security are on the client side.

Right.  I haven't used the end to end Java stuff, but I believe that
it works.  Unfortunately, when you go to sign up, what you get by
default is a version that is little more than plain old web mail, and
their signup process does not say "if you use the web mail we can read
all your mail and will provide it in plain text if suboenaed."

That's what I take issue with, promoting web mail as though it were
secure end to end PGP.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Dave Howe]

Jon Callas wrote:


On Nov 1, 2007, at 10:49 AM, John Levine wrote:


Since email between hushmail accounts is generally PGPed.  (That is
the point, right?)


Hushmail is actually kind of a scam.  In its normal configuration,
it's in effect just webmail with an HTTPS connection and a long
password.  It will generate and verify PGP signatures and encryption
for mail it sends and receives, but they generate and maintain their
users' PGP keys.

There's a Java applet that's supposed to do end to end encryption, but
since it's with the same key that Hushmail knows, what's the point?



I'm sorry, but that's a slur. Hushmail is not a scam. They do a very 
good job of explaining what they do, what they cannot do, and against 
which threats they protect. You may quibble all you want with its 
*effectiveness* but they are not a scam. A scam is being dishonest.


You also mischaracterize the Hushmail system. The "classic" Hushmail 
does not generate the keys, and while it holds them, they're encrypted. 
The secrets Hushmail holds are as secure as the end user's operational 
security.


Seconded. the java applet is effectively a mail client, a copy of gpg, 
and a copy of the secret keyring; the public keys are looked up on the 
server though, and I suspect/assume that the messages are no more or 
less secure at the hushmail side than your own pgp mail would be on a 
isp imap server (i.e., you could get traffic information trivially just 
by looking, but message content would require being lucky with the 
keyphrase or active co-operation from hushmail to give you a "gimmicked" 
client the next time you log in that reveals that information.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Ian G]

Jon Callas wrote:


On Nov 1, 2007, at 10:49 AM, John Levine wrote:


Since email between hushmail accounts is generally PGPed.  (That is
the point, right?)


Hushmail is actually kind of a scam.  In its normal configuration,
it's in effect just webmail with an HTTPS connection and a long
password.  It will generate and verify PGP signatures and encryption
for mail it sends and receives, but they generate and maintain their
users' PGP keys.

There's a Java applet that's supposed to do end to end encryption, but
since it's with the same key that Hushmail knows, what's the point?



I'm sorry, but that's a slur. Hushmail is not a scam.



It certainly was not a scam when I was involved (cryptix 
guys did some part of the original java crypto) many years 
ago.  The private key is encrypted by your passphrase, so 
the private key is not available to Hushmail.


The basic concept is of course somewhat limited by what it 
tries to do, but it is sound.  Hushmail published the applet 
that did all this, and it was possible to read the code and 
attack it.  At least one flaw was found, from deep dim memory.


There is for example a danger that hushmail could simply 
change the applet, and then acquire someone's key.  A victim 
would not notice so easily because there isn't much in the 
browser that stops the applet from changing code.  That's a 
threat, and they were aware of it, but it's also a bit of a 
high risk one, as, if it were spotted, their credibility 
would be shot.


In practice, the larger danger with email is that the 
high-profile threats to email security are on the client 
side.  Either you, your own machine, the other guy's 
machine, or the other guy.  I was involved in one case where 
super-secret stuff was shared through hushmail, and was also 
dual encrypted with non-hushmail-PGP for added security.  In 
the end, the lawyers came in and scarfed up the lot with 
subpoenas ... all the secrets were revealed to everyone they 
should never have been revealed to.  We don't have a crypto 
tool for embarrassing secrets to fade away.


iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[auto37159]

Calling Hushmail a scam (which seems lower in the continuum than 
Snake Oil) is pretty strong.  I have been (and am) a Hushmail user 
for many years and have been impressed by how they go about their 
business.  They are pretty explicit in explaining how things work, 
opening the code up for review, using OpenPGP, non US servers and 
incorporation, etc.

Given the above, I was surprised at what was in the affidavit.  I 
know there are several assumptions; the most glaring is that the 
defendants actually used the PGP implementation in the Hushmail 
system.  The assumed response to a legal request for emails would 
be the data stored on the server, which should be just PGP and 
headers. The affidavit does not state that crackers or keyloggers 
were used or that the passphrase was obtained from the users.  
Given the rest of the detail, it seems like these important actions 
would have been listed if they were used.

I wanted to know the collective opinion on how the contents of the 
emails could then be made known to the DEA without a glaring hole 
in the implementation or administration of Hushmail, either of 
which would be important but disappointing to hear about.

rearden


On Thu, 01 Nov 2007 16:52:28 -0400 Jon Callas <[EMAIL PROTECTED]> 
wrote:
>On Nov 1, 2007, at 10:49 AM, John Levine wrote:
>
>>> Since email between hushmail accounts is generally PGPed.  
>(That is
>>> the point, right?)
>>
>> Hushmail is actually kind of a scam.  In its normal 
>configuration,
>> it's in effect just webmail with an HTTPS connection and a long
>> password.  It will generate and verify PGP signatures and 
>encryption
>> for mail it sends and receives, but they generate and maintain 
>their
>> users' PGP keys.
>>
>> There's a Java applet that's supposed to do end to end 
>encryption, but
>> since it's with the same key that Hushmail knows, what's the 
>point?
>>
>
>I'm sorry, but that's a slur. Hushmail is not a scam. They do a 
>very  
>good job of explaining what they do, what they cannot do, and 
>against  
>which threats they protect. You may quibble all you want with its  
>
>*effectiveness* but they are not a scam. A scam is being 
>dishonest.
>
>You also mischaracterize the Hushmail system. The "classic" 
>Hushmail  
>does not generate the keys, and while it holds them, they're  
>encrypted. The secrets Hushmail holds are as secure as the end 
>user's  
>operational security.
>
>I know what you're going to say next. People pick bad passphrases, 
> 
>etc. Yes, you're right. That is not being a scam.
>
>They have another system that is more web-service oriented, and 
>they  
>explain it on their web site far better than I could. It has 
>further  
>limitations in security but with increased usability. It is also 
>not  
>a scam.
>
>   Jon
>
>---
>--
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to 
>[EMAIL PROTECTED]

--
Save hundreds on Technical School - Click here.
http://tagline.hushmail.com/fc/Ioyw6h4fRTdts2rXzvypA08i4x4ZY17uNW0IOfxYNnLUwGHrYCe6DW/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[StealthMonger]

Jon Callas <[EMAIL PROTECTED]> writes:

> Hushmail is not a scam.  They do a very good job of explaining what
> they do, what they cannot do, and against which threats they
> protect.  You may quibble all you want with its *effectiveness* but
> they are not a scam.  A scam is being dishonest.

Failure to tell the whole truth is a form of dishonesty, just as is
telling a lie.

By silently, implicitly adopting a narrow definition of "security",
Hush are able to claim "Only Hush's solution provides such a high
level of security combined with total ease of use." [1]

The larger truth is that a consequence of using Hushmail is that
record of when, with whom, and the size of each communication is
available to Hush, even though the content is concealed.

According to the original poster, it's these kinds of data that
Hushmail was required to turn over to the US DEA.


 -- StealthMonger
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>

 --
   stealthmail: Scripts to hide whether you're doing email, or when,
   or with whom.  http://stealthsuite.afflictions.org

[1] http://www.hushmail.com/about-how

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Jon Callas]

On Nov 1, 2007, at 3:57 PM, John Levine wrote:


I'm sorry, but that's a slur. Hushmail is not a scam. They do a very
good job of explaining what they do, what they cannot do, and against
which threats they protect.


Have you looked at Hushmail lately?


I am only quarreling with the word "scam."

Yes, I have. They have their with Java option and their without Java  
option, and even the "Express" option. Look at:





which has a very nice description of each system, and what  
vulnerabilities there are with each. There are many things one might  
say about the without Java option. They might include, "doesn't meet  
my security needs" or "I can't imagine what would possess someone to  
use the non-Java version." But it's not a scam.


Jon

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Jon Callas]

I don't know anything about this case, so everything I say is pure  
supposition.


Let's suppose you have Alice and Bob who are working together on some  
sort of business, and they are using some OpenPGP [1] software to  
encrypt their emails that pertain to that business. Let's suppose  
that the authorities then decide to raid Bob. Let us then suppose  
that they go to Alice's ISP and get a lot of encrypted email, by  
warrant, subpoena, etc. It doesn't matter for our purposes what ISPs  
Alice and Bob are using, nor what OpenPGP software they are using.


* Let us consider the case where Bob turns state's evidence. If those  
emails were encrypted to both Alice's key and Bob's key, after Bob  
turns state's evidence, the authorities can decrypt all the messages  
they seized from Alice's ISP. It doesn't matter what Alice did with  
her key or what Alice's ISP did with it. They can be decrypted  
because Bob's key has been compromised.


* Let us consider the same basic scenario where all the messages are  
encrypted to the sender's, but not the recipient's key. In this case,  
the authorities can decrypt all of Alice's messages to Bob, but not  
Bob's messages to Alice. After they have compromised Bob, all of  
Alice's messages to Bob can be decrypted. The fact that Alice's  
security is untouched is mostly irrelevant. Alice is likely toast,  
not because of the cryptography, but because Bob has been  
compromised, and Bob's key decrypts mail Alice has sent.


* Let us consider a slightly different scenario in which neither  
Alice nor Bob are compromised, but Bob is detained. If the  
authorities raid Alice's ISP, despite the fact that they cannot  
decrypt the messages, they may be able to show a connection between  
Alice and Bob. If they have been CCing themselves, then you'll find  
the same undecryptable message in each mailbox. If they have been  
using "reply," there's probably metadata in the plaintext headers  
that shows that M_n is a reply to M_{n-1} ... M_1, and thus you have  
a chain of messages. If there is other evidence, such as Bob sending  
checks to Alice every so often, the cryptography may be moot or worse  
than moot. (If those messages are harmless, why don't you decrypt  
them? Yes, this can get into many interesting discussions like the  
applicability of Amendments 4 and 5, but these are also not  
cryptographic. I really don't want to discuss them because I'll bet  
we agree.)


Cryptography is not magic pixie dust that you can sprinkle on a  
security problem and make it go away. If your adversary is a major  
national government, you have operational security issues, as well.  
If your adversary is a major national government that has direct  
authority over where you live, then you have a much larger problem.  
The adversary is going to use forensic analysis, traffic analysis,  
and anything else they can think of. They are also not dumb. You also  
have to expect that third parties, including ISPs, are unlikely to  
see why they should fail to comply with legal documents like  
subpoenas and warrants because of what you did. Smart cryptographers  
make sure there are no backdoors in the crypto, because if there  
were, then every beat cop and two-bit mafioso will want you to break  
just that one message -- or else. If the system is strong, it all  
comes down to your operational security.


Jon



[1] I have to give a now-usual rant. PGP is a trademark of PGP  
Corporation and refers to software it makes. OpenPGP is an IETF  
standard that covers encryption, certificates, and digital  
signatures. There are many products that implement the OpenPGP  
standard. PGP software is one of those. But other products, such as  
GnuPG, Hushmail, Bouncy Castle, and so on also implement the OpenPGP  
standard. Futhermore, PGP software implements other standards than  
OpenPGP. For example, PGP software implements the S/MIME and X.509  
standards as well as the OpenPGP standard.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[John Levine]

>I'm sorry, but that's a slur. Hushmail is not a scam. They do a very  
>good job of explaining what they do, what they cannot do, and against  
>which threats they protect.

Have you looked at Hushmail lately?  Before I sent that note, I signed
up for an account and sent myself a few messages to be sure I
understood what happens.  They really did generate a PGP key for me
when I signed up.  At least I think they did, the Java thingie that
was supposed to let me download a copy of the key didn't work, but the
mail arrived with a reasonable looking PGP signature.  It also let me
upload my public key for my regular address so Hushmail users can send
me PGP mail.

If you want Web mail that does PGP inbound and outbound, they do a
perfectly fine job, but I suspect that interception in transit isn't
the threat that most users are worried about.

As far as explaining what they do, here's a typical piece of blurbage
snipped from Hushmail's web site.

  By contrast, Hushmail keeps your online communications private and
  secure. Not even a Hushmail employee with access to our servers can
  read your encrypted email, since each message is uniquely encoded
  before it leaves your computer.

In fact they sent and received my mail through an https web site so
although it is encoded in transit (https from me to them, PHP from
them to the other end), it's in the clear at their end.

>You also mischaracterize the Hushmail system. The "classic" Hushmail  
>does not generate the keys

That may well be true, but that's not what I got when I signed up last
night.  Take a look, sign up for one of their free accounts, and see
if you agree with my description of what it does.

R's,
John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[Jon Callas]

On Nov 1, 2007, at 10:49 AM, John Levine wrote:


Since email between hushmail accounts is generally PGPed.  (That is
the point, right?)


Hushmail is actually kind of a scam.  In its normal configuration,
it's in effect just webmail with an HTTPS connection and a long
password.  It will generate and verify PGP signatures and encryption
for mail it sends and receives, but they generate and maintain their
users' PGP keys.

There's a Java applet that's supposed to do end to end encryption, but
since it's with the same key that Hushmail knows, what's the point?



I'm sorry, but that's a slur. Hushmail is not a scam. They do a very  
good job of explaining what they do, what they cannot do, and against  
which threats they protect. You may quibble all you want with its  
*effectiveness* but they are not a scam. A scam is being dishonest.


You also mischaracterize the Hushmail system. The "classic" Hushmail  
does not generate the keys, and while it holds them, they're  
encrypted. The secrets Hushmail holds are as secure as the end user's  
operational security.


I know what you're going to say next. People pick bad passphrases,  
etc. Yes, you're right. That is not being a scam.


They have another system that is more web-service oriented, and they  
explain it on their web site far better than I could. It has further  
limitations in security but with increased usability. It is also not  
a scam.


Jon

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

[John Levine]

>Since email between hushmail accounts is generally PGPed.  (That is 
>the point, right?)

Hushmail is actually kind of a scam.  In its normal configuration,
it's in effect just webmail with an HTTPS connection and a long
password.  It will generate and verify PGP signatures and encryption
for mail it sends and receives, but they generate and maintain their
users' PGP keys.

There's a Java applet that's supposed to do end to end encryption, but
since it's with the same key that Hushmail knows, what's the point?





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Hushmail in U.S. v. Tyler Stumbo

[auto37159]

Maybe this is off topic, but I think it does relate to the 
implementation of cryptography.

I stumbled across this filing:  
http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p
rod_affiliate.25.pdf

relating to a drug case where the defendant and others used 
Hushmail.

What I found interesting was:
1.  The amount of data which Hushmail was required to turn over to 
the US DEA relating to 3 email addresses.  3 + 9 = 12 CDs  What 
kind of and for what length of time does Hushmail store logs?

2.  That items #5 and #15 indicated that the _contents_ of emails 
between several Hushmail accounts were "reviewed".  

3.  The request was submitted to the ISP for IP addresses related 
to a specific hushmail address (#9).  How would the ISP be able to 
link a specific email address to an IP when Hushmail uses SSL/TLS 
for both web and POP3/IMAP interfaces?

Since email between hushmail accounts is generally PGPed.  (That is 
the point, right?)  And the MLAT was used to establish probable 
cause, I assume that the passphrases were not squeezed out of the 
plaintiff.  How did the contents get divulged?

Rearden


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]