|
eeso
Str@nger

Registered: 03/25/07
Posts: 554
|
Hushmail rats users to feds
#7632837 - 11/13/07 09:44 PM (16 years, 2 months ago) |
|
|
Apparently subpoenaed info from hushmail played a part in the recent steroid busts.
"My guess is that Hushmail has had subpoenas before and had to develop and install a modified java applet which captures the passphrase when the user enters it. With that and the stored keys, it can decrypt all the stored communications." - 'Travis'
http://cryptome.org/hushmail-rat.htm
http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf
Remember - nothing is completely secure...
Edit: Shit there's already a thread on this - my bad
Edited by eeso (11/13/07 09:51 PM)
|
SheerTerror
ST


Registered: 11/28/03
Posts: 2,348
Last seen: 9 years, 2 months
|
Re: Hushmail rats users to feds [Re: eeso]
#7633563 - 11/14/07 01:09 AM (16 years, 2 months ago) |
|
|
yea good post, alot of people here use it. i guess the only wise option would be if you need that kind of security would be to pay monthly to run your own encrypted mail server
|
fastfred
Old Hand



Registered: 05/17/04
Posts: 6,899
Loc: Dark side of the moon
|
Re: Hushmail rats users to feds [Re: SheerTerror] 1
#7634328 - 11/14/07 10:19 AM (16 years, 2 months ago) |
|
|
Quote:
SheerTerror said: yea good post, alot of people here use it. i guess the only wise option would be if you need that kind of security would be to pay monthly to run your own encrypted mail server
Or you can just encrypt your own mail and send it using any of the thousands of free mail services. Then you KNOW that nobody else has your private key.
Encryption is only secure if you're the only one with access to your private key, which is why services like hushmail are a stupid idea in the first place.
-FF
|
Seuss
Error: divide byzero



Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 2 months, 20 days
|
Re: Hushmail rats users to feds [Re: fastfred]
#7634468 - 11/14/07 11:02 AM (16 years, 2 months ago) |
|
|
> Then you KNOW that nobody else has your private key.
Even then, you can't be 100% certain... keyloggers, spyware, etc.
Quote:
My guess is that Hushmail has had subpoenas before and had to develop and install a modified java applet which captures the passphrase when the user enters it.
I never used hushmail, but if they don't use SSL, then a man-in-the-middle attack (packet sniffer) would also be a good guess.
-------------------- Just another spore in the wind.
|
El Zorro
in heaven
Registered: 03/21/07
Posts: 902
Last seen: 2 years, 27 days
|
Re: Hushmail rats users to feds [Re: Seuss] 1
#7634670 - 11/14/07 11:37 AM (16 years, 2 months ago) |
|
|
Hushmail did not rat out anyone.
The DEA established probable cause by responding to an AD on a steroid discussion board. They then communicated with the steroid supplier via e-mail and set up several buys this way. They then issued a federal subpoena to Hushmail which they could not refuse.
The lesson here is don't advertise on a public discussion board that you are selling illegal drugs.
|
fastfred
Old Hand



Registered: 05/17/04
Posts: 6,899
Loc: Dark side of the moon
|
Re: Hushmail rats users to feds [Re: Seuss]
#7634855 - 11/14/07 12:22 PM (16 years, 2 months ago) |
|
|
Quote:
Seuss said: > Then you KNOW that nobody else has your private key.
Even then, you can't be 100% certain... keyloggers, spyware, etc.
If you really want to be secure you'll have your private key on a usb drive, hidden in your camera/mp3 player, or burned onto a little cd. That way you controll physical possesion of the key at all times except when you're using it to decrypt data.
The chance of a keylogger or spyware getting something on a removable drive that's only inserted for a minute or two as needed is pretty slim I would think.
-FF
|
eeso
Str@nger

Registered: 03/25/07
Posts: 554
|
Re: Hushmail rats users to feds [Re: El Zorro]
#7635816 - 11/14/07 03:51 PM (16 years, 2 months ago) |
|
|
Quote:
El Zorro said: Hushmail did not rat out anyone.
The DEA established probable cause by responding to an AD on a steroid discussion board. They then communicated with the steroid supplier via e-mail and set up several buys this way. They then issued a federal subpoena to Hushmail which they could not refuse.
The lesson here is don't advertise on a public discussion board that you are selling illegal drugs.
Well I understand all that, you miss the point completely. Do you understand what hushmail is and how it works?
Mail between hushmail accounts is usually PGPed using one of their web apps. They shouldn't have access to or store the users pass-phrase EVER and wouldn't unless they themselves obtained it surreptitiously.
Without this passphrase none of the stored encrypted messages in the users mailbox would be intelligible rendering the stored data in it useless for the governments purposes.
Hushmail stole a users passphrase using their own systems (not really that difficult) But they do not disclose that they can and do, do this. This is certainly not the first time it's been done - even if it's the first we know about.
Therein lies the ethical rub.
|
eeso
Str@nger

Registered: 03/25/07
Posts: 554
|
Re: Hushmail rats users to feds [Re: fastfred]
#7635856 - 11/14/07 04:04 PM (16 years, 2 months ago) |
|
|
Quote:
fastfred said:
Quote:
Seuss said: > Then you KNOW that nobody else has your private key.
Even then, you can't be 100% certain... keyloggers, spyware, etc.
If you really want to be secure you'll have your private key on a usb drive, hidden in your camera/mp3 player, or burned onto a little cd. That way you controll physical possesion of the key at all times except when you're using it to decrypt data.
The chance of a keylogger or spyware getting something on a removable drive that's only inserted for a minute or two as needed is pretty slim I would think.
-FF
malware needn't be on the removable media to snag the data - only on a system that has read access to said media.
Though that's really not a bad idea.
|
El Zorro
in heaven
Registered: 03/21/07
Posts: 902
Last seen: 2 years, 27 days
|
Re: Hushmail rats users to feds [Re: eeso]
#7635903 - 11/14/07 04:19 PM (16 years, 2 months ago) |
|
|
Quote:
eeso said:
Quote:
El Zorro said: Hushmail did not rat out anyone.
The DEA established probable cause by responding to an AD on a steroid discussion board. They then communicated with the steroid supplier via e-mail and set up several buys this way. They then issued a federal subpoena to Hushmail which they could not refuse.
The lesson here is don't advertise on a public discussion board that you are selling illegal drugs.
Well I understand all that, you miss the point completely. Do you understand what hushmail is and how it works?
Mail between hushmail accounts is usually PGPed using one of their web apps. They shouldn't have access to or store the users pass-phrase EVER and wouldn't unless they themselves obtained it surreptitiously.
Without this passphrase none of the stored encrypted messages in the users mailbox would be intelligible rendering the stored data in it useless for the governments purposes.
Hushmail stole a users passphrase using their own systems (not really that difficult) But they do not disclose that they can and do, do this. This is certainly not the first time it's been done - even if it's the first we know about.
Therein lies the ethical rub.
You're right. That negates the whole purpose of Hushmail doesn't it?
|
eeso
Str@nger

Registered: 03/25/07
Posts: 554
|
Re: Hushmail rats users to feds [Re: El Zorro]
#7635921 - 11/14/07 04:25 PM (16 years, 2 months ago) |
|
|
Quote:
El Zorro said:
Quote:
eeso said:
Quote:
El Zorro said: Hushmail did not rat out anyone.
The DEA established probable cause by responding to an AD on a steroid discussion board. They then communicated with the steroid supplier via e-mail and set up several buys this way. They then issued a federal subpoena to Hushmail which they could not refuse.
The lesson here is don't advertise on a public discussion board that you are selling illegal drugs.
Well I understand all that, you miss the point completely. Do you understand what hushmail is and how it works?
Mail between hushmail accounts is usually PGPed using one of their web apps. They shouldn't have access to or store the users pass-phrase EVER and wouldn't unless they themselves obtained it surreptitiously.
Without this passphrase none of the stored encrypted messages in the users mailbox would be intelligible rendering the stored data in it useless for the governments purposes.
Hushmail stole a users passphrase using their own systems (not really that difficult) But they do not disclose that they can and do, do this. This is certainly not the first time it's been done - even if it's the first we know about.
Therein lies the ethical rub.
You're right. That negates the whole purpose of Hushmail doesn't it?
Pretty much yea.
BTW I'll agree that they perhaps didn't 'rat' out anyone, depending on how you define that - that was just the title of the cryptome page.
|
|