Sciencemadness Discussion Board
Not logged in [Login ]
Go To Bottom

Printable Version  
 Pages:  1  
Author: Subject: Hushmail open to Feds with court orders.
WizardX
Hazard to Self
**




Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline

Mood: wizardx.suddenlaunch3.com

[*] posted on 10-11-2007 at 18:36
Hushmail open to Feds with court orders.


Hushmail open to Feds with court orders. US federal law enforcement agencies have obtained access to clear text copies of encrypted emails sent through Hushmail as part a of recent drug trafficking investigation.

http://www.theregister.co.uk/2007/11/08/hushmail_court_order...




Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
View user's profile Visit user's homepage View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 10-11-2007 at 18:45


Anyone who communicates by any means more complex than two Dixie cups and a length of twine is subject to interception. The telecoms industry and the national-security establishments have been intertwined since Day One.

So anyone who thinks bullshit blandishments about encryption by free email providers will protect them from law enforcement and allow them to conduct criminal conspiracies with impunity is...naive. Dense. Dim. Dead from the neck up.

Remember, the US Government (specifically ARPA which is part of the DOD, the Pentagon) created the Internet.

The right of privacy, to the extent that it exists at all in cyber, does not give anyone a license to engage in crime.




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
S.C. Wack
bibliomaster
*****




Posts: 2419
Registered: 7-5-2004
Location: Cornworld, Central USA
Member Is Offline

Mood: Enhanced

[*] posted on 10-11-2007 at 19:43


http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.htm...
As the original article says, this only applies if you're not running the crapplet. Any moron who would disable Java before signing in and thus expose themselves get what they deserve.




"You're going to be all right, kid...Everything's under control." Yossarian, to Snowden
View user's profile Visit user's homepage View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 10-11-2007 at 20:21


Hushmail's spam filter, which originally was quite effective, is now less than 50% effective.

Anyway, Hushmail is a Canadian company and the court orders it has complied with are Canadian court orders.

Despite that I seriously advise anyone not to think that any applet is going to protect anyone from national-agency level access, period, full stop.

[Edited on 11-11-2007 by Sauron]




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
chemrox
International Hazard
*****




Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline

Mood: LaGrangian

[*] posted on 10-11-2007 at 22:09


I'm going to take issue with my friend Sauron's implication that using hushmail and relying on it for privacy implies involvement in crime is dead wrong. It is like saying that putting your letters in an envelope indicates your having something to hide. I had a hushmail address so I could comunicate with a partner on patent application matters. I might not want some publication starved prof reading my geochem reports either. And, I'm sure this is quite common, what if my sexual mores don't conform and I don't want that made public? In Amerika, and I love the country my forefathers founded, nearly everything is proscribed and/or required by some statute, regulation, code, registration, ..etc. We're due for another revolution. The Supreme Court of the US, in Roe v. Wade, found that the 1st, 2nd, 4th, and 5th Amendments collectively created a right to privacy. Furthermore the whole concept of a free people means a right to privacy without which the word "freedom" is meaningless. The biggest threat to a democratic society is the citizen who believes, "if you have nothing to hide... " Am I passionate about this? Yes! Sorry for the blog but this is important to me. Now having sounded off as I have, I agree with Wack for a change, if a guy is dumb enough to rely on server side provided privacy *he* gets what *he* deserves. (I love English grammar too.) After agreeing that the guys were stupid to carry on crimes assuming they were over the internet using a privacy service, it is still a sad day and evidence of how far a controlling corrupt misguided administration will go toward its less than admirable ends. As a practical matter, wouldn't regular email and rigorous use of PGP have been a better choice? I only got the hushmail because my buddy had trouble managing his PGP files.


[Edited on 10-11-2007 by chemrox]




"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
View user's profile View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 10-11-2007 at 22:43


God damn it, that is NOT what I said.

What I said was that "free encrypted email" is not really secure, and that ANYONE who thinks it is secure from official scrutiny is living in a fool's paradise.

I'm a Hushmail user myself, so I would hardly equate using Hushmail per se with criminality.

However, clearly, the email provider is perfectly willing to cooperate with legitimate government demands and that is perfectly fine with me.

What astonishes me is the naivete of anyone who ever thought otherwise.




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
MadHatter
International Hazard
*****




Posts: 1339
Registered: 9-7-2004
Location: Maine
Member Is Offline

Mood: Enjoying retirement

[*] posted on 10-11-2007 at 23:04
Encryption


Using encryption on the server side was clearly what got these idiots caught. No
encryption system is perfect but damn it, I'll encrypt from MY side. Those guys also
impress me as being lazy.


[Edited on 2007/11/11 by MadHatter]




From opening of NCIS New Orleans - It goes a BOOM ! BOOM ! BOOM ! MUHAHAHAHAHAHAHA !
View user's profile View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 10-11-2007 at 23:20


chemrox, my advice is that if you want to protect your proprietary business information, then encrypt it onto a flash drive on a standalone machine and courier it to your partner or lawyer and have him decrypt it on his own standalone. Putting anything on the Net or on a network and relying on encryption for security is false security. Physical security is better, and encrypting en route keeps prying eyes out.



Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
chemrox
International Hazard
*****




Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline

Mood: LaGrangian

[*] posted on 10-11-2007 at 23:33


thanks Sauron - I agree- our (net) conversations have been very conceptual btw but you're right. Madhatter, I couldn't agree more. Still I wish Hushmail had put up more of a fight, on principle..



"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
View user's profile View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 11-11-2007 at 00:05


Hushmail would have been cited for contempt of court in a NY minute if they had refused to comply with a lawful court order.

That tends to make the judge see red.




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
WizardX
Hazard to Self
**




Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline

Mood: wizardx.suddenlaunch3.com

[*] posted on 11-11-2007 at 15:00


Quote:
Originally posted by chemrox
Still I wish Hushmail had put up more of a fight, on principle..


I concur! On the principle that Hushmail allowed a weakness on their system, that the Feds exploited.

Hushmail should force the downloading and execution of the java applet period, to ensure the highest secure cryptology.




Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
View user's profile Visit user's homepage View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 11-11-2007 at 15:12


As a Hushmail user, I can assure you that should Hushmail make the use of their Java applet mandatory instead of at the discretion of the user, I would drop my Hushmail account like a hot rock.

I set up that account because I was tired of being poked and prodded by Microsoft (Hotmail) "for my own good" so I am sure as shit not going to sit still for Hushmail forcing me to use encryption that I neither want nor need.




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
WizardX
Hazard to Self
**




Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline

Mood: wizardx.suddenlaunch3.com

[*] posted on 11-11-2007 at 15:48


When using this secure web-based email system, you have the option of enabling or disabling Java support. Turning on Java provides an additional layer of security, but is not necessary for secure communication using this system. To learn how to install Java, click here (recommended).

https://www.hushmail.com/hushmail/showHelpFile.php?file=comp...




Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
View user's profile Visit user's homepage View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 11-11-2007 at 16:12


I repeat: I have no need for "secure communications"

I especially have no need for insecure "secure communications" in which the "security" is a cynical and transparent mendacity.

Anyone who NEEDS truly secure communications and communicates on the Internet, is a fool. One might as well shout his secrets from the rooftops. Or put them on a web page.

A federal agent friend told me, oh, thirty years ago, that if criminals would just wise up and stop talking on the telephone, they'd be a lot harder to catch.

He was not particularly referring to wiretapping or NSA intercepts, but to simple phone logs - lists of calls sent from and received by a particular number, and which are maintained by every telephone service provider. Federal agencies can obtain these just by administrative subpoena - not a court order, but merely a written request from the agency to the phone company.

Let's see, who was President at that time? Jimmy Carter. And it was nothing new.

My point is: telecommunications and REAL security do not happily coexist. The government spends a great deal of money making sure that their commo is secure and another great deal of money making sure that no one else's is. And they succeed to an extent you are never likely to know.

I put as much faith in Hushmail's "secure" email as I do in the protection afforded to someone against knives and guns supposedly afforded by certain Buddhist amulets. What a quaint notion!




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
Phosphor-ing
Hazard to Others
***




Posts: 246
Registered: 31-5-2006
Location: Deep South, USA
Member Is Offline

Mood: Inquisitive

[*] posted on 12-11-2007 at 07:46


What do you think about Stealth Message?

http://www.stealthmessage.com/

I personally like the self destruct feature. doesn't allow anyone to keep sensitive information.
View user's profile View All Posts By User
vulture
Forum Gatekeeper
*****




Posts: 3330
Registered: 25-5-2002
Location: France
Member Is Offline

Mood: No Mood

[*] posted on 12-11-2007 at 07:50


Just use fucking PGP?



One shouldn't accept or resort to the mutilation of science to appease the mentally impaired.
View user's profile View All Posts By User
JohnWW
International Hazard
*****




Posts: 2849
Registered: 27-7-2004
Location: New Zealand
Member Is Offline

Mood: No Mood

[*] posted on 12-11-2007 at 08:05


If you were REALLY smart, you would use TWO forms of encryption to conceal the content of incriminating emails: - one encryption using PGP; and the other consisting of a special code made up in advance between the parties to the communication, in which incriminating words are replaced by innocuous code-words (e.g. "missile" replaced by "chicken"). A third type of encryption could be added to these, in which letters and numerals are replaced by others chosen from not only alphanumeric characters but also other symbols from the ASCII character set. Commonly-used letters like "a" and "e" could be replaced by several different code-characters used at random, so as to foil frequency-analysis decrypting.
View user's profile View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 12-11-2007 at 21:08


People who believe in unbreakable encryption available to the public remind me of Hitler's faith in the Siegfried Line.

Misplaced and illusory in both cases.




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
chemrox
International Hazard
*****




Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline

Mood: LaGrangian

[*] posted on 12-11-2007 at 22:01


PGP is theoretically breakable by brute force but the investment in computer resources is formidable even for NSA and it would have to be a high alert NSA issue for a successfull PGP attack. Like Asama Bin Laden's whereabouts or plans.



"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
View user's profile View All Posts By User
Sauron
International Hazard
*****




Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline

Mood: metastable

[*] posted on 12-11-2007 at 23:26


That's the conventional wisdom from outsiders. The insiders are happy to aid and abet that assumption. Personally I would not give a plugged nickle for the accuracy of that statement.

The French used to believe in the Maginot Line, at one time. As Patton said: fixed fortifications are monuments to the stupidity of man.




Sic gorgeamus a los subjectatus nunc.
View user's profile View All Posts By User
not_important
International Hazard
*****




Posts: 3873
Registered: 21-7-2006
Member Is Offline

Mood: No Mood

[*] posted on 13-11-2007 at 07:55


If the NSA had anything better than massive hardware arrays to crack compromised encrypted messages, I doubt that Clinton's Clipper Chip and the "crypto is munitions" nonsense would have come about. Better to just be quite and let cryto algorithms the the NSA knows how to lockpick get widely used.

Not every crypto-nerd is a amoral geek working for the NSA or its kin, there's a number of independent workers who have gone over the leading algorithms looking for weaknesses. So far there's only been minor weaknesses found when using poor keys, special message strings, or limited versions of the algorithms.

Brute force decodes with an iterated key, looking for output that meets statistical tests for being meaningful. As most encryption gives output that is close to random noise, encrypting with one algorithm and key, then encrypting the output with a different key and perhaps algorithm makes brute force much more difficult; each attempt on the outer coding must have its result test via brute force to se if the outer key has been found. The result 2^400 or larger number of trials to break the coding still takes a long time with any known existing hardware.

The NSA is interested in quantum computers as a way to speed up brute force attacks, but there's no evidence that they've some breakthrough; given the nature of the US government in this century it's likely such work would have been farmed out on a no-bid contract to politically connected companies, who would do the same quarter-assed job as they done with other such contracts. The story may be different if the Chinese and Indians start cooperating on such tasks, but the NSA won't be getting the results of that research. The current US administration is more likely to declare the people involved with the crypted message to be terrorists and pack them off to some corner of the world where they can be waterboarded into revealing what the message was, or at least to saying that the message was what the government wants it to be.
View user's profile View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 13-11-2007 at 09:58


Quote:
Originally posted by Sauron
That's the conventional wisdom from outsiders. The insiders are happy to aid and abet that assumption. Personally I would not give a plugged nickle for the accuracy of that statement.

The French used to believe in the Maginot Line, at one time. As Patton said: fixed fortifications are monuments to the stupidity of man.


Thanks, not_important, for saving me the effort of typing out what you did. As another piece of evidence against the capability of governments to just decrypt whatever messages they please, cases against high-level mob figures and drug chemists who used encryption have involved planting keyloggers on the suspect's computer. There's no evidence of the government breaking strongly encrypted messages at-will and all open academic research suggests that sort of capability would be extremely expensive, even when compared with the large budgets of national intelligence agencies. Believing that the NSA can easily read any message it pleases is akin to believing that NASA has secret manned bases on Mars -- unsupported by any empirical evidence and strongly suggested against by the facts that are available.

That's not to say the government can't eventually get people who use encryption, if it's important enough, but the attack will be an end-run around your security (trojans, keyloggers) rather than a frontal assault on it.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
unionised
International Hazard
*****




Posts: 5126
Registered: 1-11-2003
Location: UK
Member Is Offline

Mood: No Mood

[*] posted on 13-11-2007 at 10:21


"People who believe in unbreakable encryption available to the public remind me of Hitler's faith in the Siegfried Line."
How do you propose to crack one time pad?
Last I heard it was still secure. A pita, but secure.
View user's profile View All Posts By User
WizardX
Hazard to Self
**




Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline

Mood: wizardx.suddenlaunch3.com

[*] posted on 13-11-2007 at 15:18


http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Quote:
As of 2006, the only successful attacks against AES have been side channel attacks. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non-classified data. In June 2003, the US Government announced that AES may be used for classified information:

"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use." — [2]
This marks the first time that the public has had access to a cipher approved by NSA for encryption of TOP SECRET information. Many public products use 128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety margin for top secret documents (which may require security decades into the future).


Cryptanalysis.

http://en.wikipedia.org/wiki/Related-key_attack
http://en.wikipedia.org/wiki/Chosen-plaintext_attack
http://en.wikipedia.org/wiki/Side_channel_attack




Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
View user's profile Visit user's homepage View All Posts By User
WizardX
Hazard to Self
**




Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline

Mood: wizardx.suddenlaunch3.com

[*] posted on 13-11-2007 at 15:47


Side channel attack. http://en.wikipedia.org/wiki/Side_channel_attack

In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system. Many side-channel attacks require considerable technical knowledge of the internal operation of the system on which the cryptography is implemented.

Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically called side-channel attacks: see social engineering and rubber-hose cryptanalysis. For attacks on computer systems themselves (which are often used to perform cryptography and thus contain cryptographic keys or plaintexts), see computer security.


One simple intelligence gathering that will drastically increase a brute force attacks is knowing how many characters in the password.

Example. Let's assume this password: cGd6uB91V4ma

In a password field box it will look like this: ************

12 characters in the password cGd6uB91V4ma

Therefore, you can narrow a brute force attack to a 12 character password, as you know the password has ONLY 12 characters. Of course, you will need to generate ALL passwords with upper & lowercase alphabet, 0-9, symbols and hex.




Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
View user's profile Visit user's homepage View All Posts By User
 Pages:  1  

  Go To Top