Forgot your password?
typodupeerror
Privacy Communications Security

Is Hushmail Still Safe? 264

Posted by Soulskill
from the possibly-good-protection dept.
Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication: "For a long time, Hushmail was considered a very secure email provider until an affidavit (PDF) from a DEA agent in 2007 showed that they had handed over 12 CDs of possibly decrypted data to law enforcement. Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?"
This discussion has been archived. No new comments can be posted.

Is Hushmail Still Safe?

Comments Filter:
  • by Naughty Bob (1004174) * on Sunday August 03, 2008 @11:09AM (#24456183)
    The answer depends on how naughty you are.

    For the kind of low-level crimes I like to commit, Hushmail is safe as milk.

    If you like to blow up American stuff, it's not so safe anymore.
  • by spune (715782) on Sunday August 03, 2008 @11:10AM (#24456199)
    you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.
    • by jjohnson (62583) on Sunday August 03, 2008 @11:17AM (#24456247) Homepage

      Generally yes, but Hushmail offered two methods of encrypting emails: on their servers and in a Java applet that did it locally. What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.

      • by TubeSteak (669689) on Sunday August 03, 2008 @12:14PM (#24456705) Journal

        What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.

        IIRC, Hushmail started passing out 'bad' java applets so that they could grab encryption keys.

        • by julesh (229690) on Monday August 04, 2008 @04:20AM (#24463545)

          IIRC, Hushmail started passing out 'bad' java applets so that they could grab encryption keys.

          No, this is not what they did. If they had changed their applet in order to achieve this, myself and lots of other regular hushmail users would have noticed when we were prompted to approve a new version to execute in our browsers.

          What they did do was introduce a javascript-only version which sends the keys to their servers, and make it an insecure-by-default choice. Anyone not paying attention could have easily uploaded their keys.

      • by legirons (809082) on Sunday August 03, 2008 @01:28PM (#24457231)

        If you're encrypting email yourself then hushmail is just unnecessary. Use fireGPG with gmail and you've already got better privacy than hushmail (i.e. no need to trust their java applications)

        plus you get the entertainment of watching google struggle to choose adverts for your "----BEGIN PGP MESSAGE----" email

      • Re: (Score:3, Insightful)

        Generally yes, but Hushmail offered two methods of encrypting emails: on their servers and in a Java applet that did it locally.

        The problem is that the applet can't be verified. And, honestly, this should never have been the first indication of that.

        Or rather, the applet could be verified -- you'd just have to verify it every time. The only way I know of to make this easy would be with a Firefox extension -- but at that point, to borrow the other poster's idea, why use Hushmail in the first place? [getfiregpg.org]

        Hushmail is really a way of making GPG easy for people who don't understand how it works. The flaw in this is that to use GPG at all secur

        • by Mistshadow2k4 (748958) on Sunday August 03, 2008 @01:50PM (#24457425) Journal

          Hushmail is really a way of making GPG easy for people who don't understand how it works.

          From my own admittedly anecdotal experience, I'd say Hushmail is just a way to make money. Not only do they constantly bombard you with pleas to upgrade to their paid service, but they are supposed to delete your account if you don't check it every 3 weeks. But my account was deleted under this claim when it had been only 1 week since I checked it. Yes, I'm sure. Not only that, but when I tried to create an account with the same name, whenever I pressed okay I got an error message that I couldn't use that name without upgrading. After that I'd started using GPG with Gmail. Both are free.

          I guess I'm old-fashioned, or just learned better because I was raised in a poor rural area, but it's better to learn how to do something yourself if it's easy anyway than to pay someone too much to do it for you.

      • by mcrbids (148650) on Sunday August 03, 2008 @02:16PM (#24457629) Journal

        Anytime your private encryption key is "over there" you are at risk. If your private key is stored on *their* servers in such a manner that *they* can get to it, your privacy is at risk.

        As a software developer, I'm in a pilot program to use encryption for digital signatures. Despite the relative simplicity of using openSSL functionality, it's been surprisingly painstaking and laborious to put everything together.

        See, real security requires outright paranoia. How do you prevent your CA key from being compromised, in such a way that you can all-but guarantee that it hasn't been? To do this, you have to make it not only unlikely, but impossible to be compromised in every conceivable way. How do you prevent your client's private key from being compromised, in such a way that you can all but guarantee it? How do you prevent a malicious client from obtaining a signed certificate? How do you prevent 3rd parties from MITM attacks? How do you provide high-level security for all the above, while still providing redundancy for disaster recovery? How do you prevent compromises stemming from a social engineering attack?

        Not including implementation and ongoing maintenance of these procedures, the cost of just proving that you have all these measures in place runs to many thousands of dollars!

        A solution that answers all these and every conceivable related question is surprisingly difficult, and many, if not most, of the problems are not technical, but social.

      • Re: (Score:3, Interesting)

        by mlts (1038732) *

        For email that was decrypted on their servers using the Outlook plugin, they were pretty much forced to hand it over or be shut down bu the Powers that Be in their country.

        Hushmail offers one service that no other E-mail company provides -- decryption of E-mails on the local client. I can sit at any machine that has a JVM and that is trusted to not have a keylogger, log onto Hushmail, and decrypt any new mail locally. The mail remains encrypted on Hushmail's servers.

        Another advantage of Hushmail is their

    • by Naughty Bob (1004174) * on Sunday August 03, 2008 @11:18AM (#24456251)

      you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

      RTFAs much? Hushmail provide you with an optional, open app to encrypt things before they leave your computer. But now it seems that (based on differing hashes) the code used 'in the field' is not the same as the reference source code they show on their site.

      I'd be inclined, given Hushmail's excellent track record on openness, to believe that this is more an oversight, i.e. something not updated, than a turn to the dark side.

    • Re: (Score:3, Insightful)

      by AmiMoJo (196126)

      If only popular email clients would ship with encryption built in, set up by the account creation wizard and turned on by default...

      Once everyone had the ability to check signatures and decrypt encrypted mail, and the client defaulted to encrypted if a key was available we would be half way there. Unfortunately there is no good system at the moment for hiding the address of who the mail is being sent to, and at least in the UK ISPs are required to log that data.

      I'm somewhat surprised that Thunderbird hasn't

      • Re: (Score:2, Informative)

        by SignOfZeta (907092)

        Apple has PGP keys [apple.com] that you can use for submitting encrypted email to them; they tell you to use it for sending in proof of security issues. While they don't include the functionality in Mail, there's always MacGPG [sente.ch] (command-line tools, plus a nice Aqua-fied port) and the GPGMail [sente.ch] plugin.

        Why Apple and Mozilla make no official inclusion, I have no idea. Probably due to licensing, no doubt. (It goes without saying that Microsoft doesn't include it because they're Microsoft.)

        • Re: (Score:3, Informative)

          by AmiMoJo (196126)

          GPG is open source, GPL licenced and patent free, so really there is no excuse for not including it.

          Even GPG doesn't solve the recipient-in-plain-text problem. It's the same with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.

          • Re: (Score:3, Informative)

            by legirons (809082)

            with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.

            Well, they can see the server/domain name, although not the URL surely (the URL being sent inside HTTP, which is encrypted...)

        • Re: (Score:3, Interesting)

          by v1 (525388)

          I can send a signed or encrypted email anytime I want from mail, with no extensions. I just have to have my public and private key loaded into it (which I do) and have to have a copy of your public key. Then I just click the padalock. Oh, thank you for the reminder, my key was expired last week, heh.. got another one just now for free. Anyway, now I can click the "sign" badge and sign my email to you even if you don't have any keys. If I have your public key and I receive an email from you, it will s

      • Re: (Score:3, Interesting)

        by legirons (809082)

        If only popular email clients would ship with encryption built in, set up by the account creation wizard and turned on by default...

        But how do you swap keys?

        At this point, it would be nice for some organisation to just start signing PGP keys when you fax them a driving license or something, the equivalent to a CA but for PGP keys which traditionally needed huge effort to figure-out if the key matches the person.

  • Simple Answer (Score:4, Insightful)

    by fluch (126140) on Sunday August 03, 2008 @11:15AM (#24456225)

    ...one can't trust encryptinon if it is done off site. Point.

    If you want your communication secure encrypt it on your computer which you trust. This is the only way to keep it secure...

    • Re:Simple Answer (Score:5, Informative)

      by icydog (923695) on Sunday August 03, 2008 @11:38AM (#24456429) Homepage
      The whole point of Hushmail's program is that you do it on a computer which you trust. They also offer a version where you send stuff to their servers in plaintext and then they encrypt it for you, which is harder to trust.

      The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.
      • Re:Simple Answer (Score:5, Insightful)

        by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Sunday August 03, 2008 @01:03PM (#24457023) Homepage Journal

        The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.

        The other problem is that it's not GPG. Honestly, there is no way I'd trust any other file crypto software today. Why should I? GPG is there and works and people use it. Anything else is just rolling dice.

        This is maybe the one area where I don't think there's a lot of room for options. Crypto is almost unbelievably hard to get right, and the odds of more than a tiny handful of programs pulling it off is slim. Putting all of your eggs in one basket is risky, but I'd rather trust one titanium roll cage of a basket than 100 made out of tin foil and rusty nails.

        • Re: (Score:3, Insightful)

          Crypto is almost unbelievably hard to get right, and the odds of more than a tiny handful of programs pulling it off is slim.

          Cryptographic algorithms are difficult to design, but they are documented, implemented, and made publicly available. GPG is not the only secure encryption program out there, it is simply a common and well designed one. RSA and AES encryption libraries are widely available. They are even embedded in the Linux kernel for use by programs that call the openssl library so that the kern
          • Re: (Score:3, Interesting)

            by Just Some Guy (3352)

            For a good primer on encryption pick up Bruce Scheiner's Applied Cryptography. You can also find a lot of resources online, like wikipeida, though those articles can get a bit technical. I hope that you can learn that encryption can be utilized by almost any competent programmer, and that it is not the program you should distrust, but rather third parties. That is, after all, the heart of encryption, knowing who and what to trust and giving everyone else hell.

            I think you need to re-read it. What I took away from the book is that even if the crypto library is perfect, even good programmers are likely to screw up its usage. For example, see the recent Debian SSH mixup. That guy wasn't an idiot, but made a subtle yet completely fatal mistake.

            No, I don't trust the program. Unless it's been heavily vetted like GPG (or OpenSSL as you mentioned), I assume that it has a subtle vulnerability that makes it worthless. If you don't feel the same, then I doubt whether y

  • by TheGratefulNet (143330) on Sunday August 03, 2008 @11:17AM (#24456245)

    its just that simple.

    unless you can review (and understand) what's going on, line by line, you can't REALLY trust it.

    what is at stake, here? the gov's are at an all-time power-grabbing frenzy for violating your personal privacy. corporate, too, for that matter.

    it was once said that no one would be allowed to sell or market encryption tech that 'the big guys' would not be able to break; meaning our government. I once worked at a picture phone company (mid 80's) that was starting to go down the 'encrypt your video phone call' path (using old switched56 tech) and we were told we could NOT do our own encryption unless it was 'breakable' by, well, certain agencies.

    believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

    I fully believe that. you would do well to mistrust your government, too, given how greedy they have become on the rights-grab thing.

    locks only keep honest people out. there is NO WAY to keep the gov out, anymore. and that means that others, too, have backdoors (you think the gov is the only entity that can 'get to' this kind of stuff?)

    anyone who trusts encryption for their life, in this day and age, is deluded.

    • by icydog (923695) on Sunday August 03, 2008 @11:23AM (#24456287) Homepage
      And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.
      • Re: (Score:3, Insightful)

        by Naughty Bob (1004174) *

        And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.

        Necessary but not sufficient- You'd also need to be a black-belt in Silicon whittling.

    • by Iamthecheese (1264298) on Sunday August 03, 2008 @11:27AM (#24456311)
      Several kind of encryption have been inspected for years by some of the brightest minds in the field. Are you claiming that they are somehow vulnerable as well? RSA, Diffie-Hellman key exchange, 3DES, AES...
      • Re: (Score:3, Interesting)

        by DaedalusHKX (660194)

        You mean like that incident with Debian recently where some genius commented some lines that were spouting a warning in GnuPG, and it turns out that the keys generated for SSH were MUCH weaker to brute force crack than the usual ones? Yeah, most brilliant minds tend to miss things. Expert worship is a way to get one's self killed or maimed while waiting for the experts to verify that said incident actually COULD cause the maiming or killing to occur.

        Be real... nothing is 100% safe. Your only real safety

        • by thomasw_lrd (1203850) on Sunday August 03, 2008 @11:48AM (#24456533)
          The only problem with being a hardass, is that there is always a bigger hardass out there, willing to prove it to you.
        • by shaitand (626655) on Sunday August 03, 2008 @12:46PM (#24456917) Journal

          If the brilliant minds missed it, how is it you know about it?

          • Re: (Score:3, Insightful)

            by DaedalusHKX (660194)

            Brilliant minds hear so much praise that they forget they fuck up just like anyone else.

        • by Lincolnshire Poacher (1205798) on Sunday August 03, 2008 @12:52PM (#24456957)
          > where some genius commented some lines that were spouting a warning in GnuPG

          Point 1:

          No-one changed anything in GnuPG. Valgrind issued warnings regarding OpenSSL which resulted in some unfortunate changes in one distro of one OS.

          GnuPG and OpenSSL are entirely discrete projects, please don't confuse people with supposition and half-truths.

          Point 2:

          Neither you nor I can write a robust encryption algorithm. On the contrary, Rindjael and Twofish have been published in the wild now for eight years and no-one has demonstrated a weakness. If the former is acceptable as AES for US Government crypto then it is secure enough for the rest of us. Even if we assume that the NSA is 20 years ahead of the field in mathematics, if you're not dealing with the NSA then you've got 20 years lead time before Company-X can crack your files.

        • Re: (Score:3, Insightful)

          by schon (31600)

          that incident with Debian recently [...] most brilliant minds tend to miss things.

          Sorry, but the person who did that was *not* brilliant, by any stretch of the imagination.

          Unless you're trying to tell us that Whitfield Diffie, Adi Shamir, or Leonard Adelman personally signed-off on the Debian packages, in which case I'd challenge you to provide a link.

          Attempting to draw parallels between actual crypotgraphers who have created state-of-the-art cryptography, and some numbnuts who doesn't actually understand what he's doing is really, really poor logic.

          If the Debian fiasco is the best examp

      • by lorenzo.boccaccia (1263310) on Sunday August 03, 2008 @11:41AM (#24456457)
        3des is not vulnerable but computer power has passed the point on which an individual could mount an actual attack. D-H suffers from man in the middle attacks (but a secure variant exists, it's called station to station or something similar but is based on asymmetric cryptography). asymmetric cryptography as RSA works IF you could trust the third party half key, and it is not quite working given the mess we have with trusted trusting authorities. Regarding AES, there are some concern about a possible NSA backdoor; common blowfish implementation was botched - two times - allowing for key recovery. I could provide source for almost all those claims, but right now I'm too lazy to search to go ogle them.

        my point is, several expert of the field already stated concern about these algorithms, but more importantly nobody could trust any of those algorithm to work perfectly, as there are too many attack vectors - backdoors, wrong implementations, man in the middles, unexpected mathematical tricks, and why not plain old social engineering. Each one of those algorithms has its own strength and weakness, and 0,1% of the internet population could consider itself safe - without knowing every bit of the field AND of the implementation AND of the network topology between Alice and Bob and so on, cryptography is just a layer of security. Perfect Security doesn't exists, as it never existed in the first place: you always somehow need to recover that data.
        • by djcapelis (587616) on Sunday August 03, 2008 @11:54AM (#24456579) Homepage

          >3des is not vulnerable but computer power has
          >passed the point on which an individual could
          >mount an actual attack.

          I believe that would likely be DES you're referring to, not 3DES.

          Whether the NSA can attack 3DES or not is an entirely different matter. But an individual? Not yet. 3DES is about 112 bits of key if you account for meet in the middle.

          DES is ~56 bits and can be cracked in hours with special purpose hardware.

          n Hours * 2^(112-56) = 72057594037927936n hours.

          So... I think it's out of reach for an individual at the moment. Even if we could break DES in minutes...

          • by jd (1658) <imipak @ y a h o o .com> on Sunday August 03, 2008 @01:43PM (#24457371) Homepage Journal
            Upgrade the EFF's DES cracker to modern processors or GPU cores (whichever would be better at cracking DES), and decryption times of a few minutes would be realistically achievable. Depending on how efficient their code was (eg: could it fit entirely into L2, with data?), there may be room for improvement there. Add in superior cooling and overclocking techniques, you can probably get another 10-20% speedup. So if you really wanted, you could probably crack DES in under a minute, using off-the-shelf components. Triple DES is many orders of magnitude harder, I know of no machines currently out there that could make a serious dent in it. You'd need to find a weakness caused by how the DES algorithms interacted to mount a serious challenge using today's technology.
    • by LighterShadeOfBlack (1011407) on Sunday August 03, 2008 @11:30AM (#24456349) Homepage

      Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded.

      I'm sure any major government's capabilities to obtain information are beyond what they are commonly percieved to be, but that does not mean that every encryption scheme is instantly rendered null and void. No one government has control over everyone, so if you think the US government is stifling innovation in America do you also think they're doing the same in Japan, Europe, China, and anywhere else? Or do you think that those governments are all collaborating on this - now that really would be deluded.

      If all available encryption mechanisms were crackable then why would governments have gone to to such lengths to try and hinder their development in years gone by - and why would many governments now be trying to attack encryption methods via other means, eg. the recent British law that makes refusal to give up keys to encrypted material punishable by up to 5 years in prison. Why be the bad guy and make those laws if they're unnecessary anyway? I suppose you could claim it's to try and mask their true abilities, or to play up to the anti-terror idiots, but I don't see that as likely.

      • Re: (Score:3, Insightful)

        It doesn't have to be anywhere near that elaborate: just assume lawmakers have about the same level of information as us, so they think (rightfully I believe) that encryption is sound, and therefore they need that law.

      • by hacker (14635) <hacker@gnu-designs.com> on Sunday August 03, 2008 @12:16PM (#24456717)

        "Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded."

        ...and those who think they're the top in their field, are regularly and quickly shown up by those who are smarter than themselves. Just remember that for every person you're beating in any field (math, basketball, chess, whatever), there are people out there MUCH smarter, faster, better than you are.

        Just because one brilliant researcher publicly puts his stamp of approval on an algorithm, does not mean that any government doesn't have a team of similarly-brilliant researchers poking holes in that algorithm that are never made public.

        • Re: (Score:3, Insightful)

          Yes, but that goes both ways. For every brilliant person who chooses to work for the government there is another that chooses to work commercially or academically. Which is why I believe it's highly unlikely that the government could be so far ahead of the curve as the GP suggests. That is unless they were actively hindering those who work outside of the government, in which case I'd find it very difficult to believe that such efforts would be unknown.

          • by Jerry Coffin (824726) on Sunday August 03, 2008 @02:21PM (#24457665)
            The NSA (among others) does actively hinder research on cryptography outside the government, and those efforts are fairly well known. For example, the although the limits on things like key size have been raised, there are still controls on the export of some types of cryptography. They have attempted (at times) to apply these to publication that should clearly have been immune to it, such as a researcher publishing information about an algorithm, rather than attempting to export a working system.

            It's also NOT necessarily true that for every brilliant person in the government, there's another who works elsewhere, at least specifically on cryptography. In particular, the NSA is one the largest employers of mathematicians on earth. Most other employers who hire mathematicians have other jobs for them to do, so most of their time is occupied with other problems. By contrast, the NSA can (apparently) afford to hire quite a few who are allowed to concentrate entirely on cryptology.

            Given the secrecy of the NSA in general, it's essentially impossible to come up with numbers that are either exact or concrete, but it certainly seems possible and reasonable that government agencies (in general) could have considerably more time and effort to devote to this subject than the entire rest of the world.

            My feeling, however, is that the gap has been narrowing for quite a while now. From the design of DES, it appears that the NSA was aware of differential cryptanalysis (but not linear cryptanalysis) at that time; it became publicly known quite a bit later. As for AES, however, the rest of the world has caught up to the point that AES can be used on DOD Secret data, and the variants with 192- and 256-bit keys are cartified for DOD Top Secret data.

      • Re: (Score:3, Insightful)

        by Nikker (749551) *
        If minds alone are the root that provides the fruit then isn't it curious that governments harvest and continually employ a majority of these?

        If this is the fruit we see and share what type of fruit do they eat?
      • by djdavetrouble (442175) on Sunday August 03, 2008 @12:50PM (#24456941) Homepage

        Obviously you've never seen 24 and that room full of awesome computer at CTU HQ,
        and Jack Bauer's cell phone that works EVERYWHERE.

        I mean all that stuff is real, its basically a documentary.

        All it takes is one determined tow headed ex special forces DUDE with a license to ill,
        and your whole encryption thingy comes tumbling down.

    • by Cheesey (70139) on Sunday August 03, 2008 @11:43AM (#24456473)

      We got past this in the 90s; initially they said that all encryption would have to be weak (e.g. 40 bit) or go through their chips (Clipper, etc.). But they found that this didn't stand up to the reality of WWW era. What worked in the 80s for the few users of encryption at that time simply couldn't scale up for web commerce. Strong encryption was a commercial necessity, so the attempts to control the industry had to be dropped. The export restrictions disappeared, and because DES was now too weak to be useful, the new AES standard was introduced.

      Is AES full of back doors for the NSA? Almost certainly not, since these could also be used by any resourceful group of cryptographers, including the Chinese version of the NSA.

      Is quantum computing already being used to crack AES? No. Quantum computing is the cold fusion of our industry.

      • Re: (Score:3, Interesting)

        by mccabem (44513)

        if I may:

        "Is AES full of back doors for the NSA? Almost certainly not, since these could also be used by any resourceful group of cryptographers, including the Boogey Man [wikipedia.org]."

      • by DancesWithBlowTorch (809750) on Sunday August 03, 2008 @02:01PM (#24457519)

        Quantum computing is the cold fusion of our industry.

        I assume you are implying that Quantum Computing does not have any sound physical validity, will never work, and is only backed by scientists with questionable track records.

        I disagree. Quantum Computing is the hot Fusion Energy of your industry: It is much more complex than most people understand, it takes much longer to pull off than most people think, and it will take much longer to arrive than most people expect. But it has a sound theoretical foundation and is, at this point, purely a (very hard) engineering challenge, rather than pure conjecture, mixed with a few highly questionable experimental results.

    • by AmiMoJo (196126) <mojo@NOspaM.world3.net> on Sunday August 03, 2008 @11:48AM (#24456519) Homepage

      believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

      Truecrypt is freeware (open source) and is secure. In fact, it's more secure than any commercial offering I know of, due to its plausible deniability features. The source is there, it has been examined by experts and you can take a look yourself. Encryption options include both AES and Twofish, both known to be secure.

      Encryption is well understood and researched by academics working in public. Sure, governments have their own secret research, but a lot of very clever people all around the world have been testing AES and Twofish for weaknesses for years and so far have found none. Governments don't have any magical ability to find flaws in encryption that ordinary academics don't.

      Having said that, perhaps if you are Osama Bin Laden you might want to be a little bit paranoid. In theory, with a few billion dollars you could build a machine capable of cracking AES in months. So far there is no evidence such a machine exists, but... Most people don't have to worry about that though, even if they are doing something that could get them in serious trouble - certainly the national police, Interpol or even secret services (MI6/CIA) don't have any chance of breaking AES by brute force. Of course they could torture you now but even that isn't much of a threat to anyone not labelled a terrorist by the US.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        ...Of course they could torture you now but even that isn't much of a threat to anyone not labelled a terrorist by the US.

        But people who don't hand over their laptops and their encryption keys to DHS are terrorists! Right?

      • Re: (Score:3, Interesting)

        by trewornan (608722)

        Governments don't have any magical ability to find flaws in encryption that ordinary academics don't

        But they do have lots of academics, and often some of the very best. Case in point: the NSA discovered differential cryptanalysis years before anyone else (that we know of) and was aware that several commercially important algorithms were susceptible.

      • You make it sound like not just anyone can be (of those who haven't already been) declared a terrah-ist. It doesn't take much - and as with so many [google.com] things these days, they don't even need a warrant [usdoj.gov] to get you into "the club". All they need is for you to have a laptop and you're fair game. If you have a laptop and they haven't picked you at the airport, don't get high and mighty - remember there's literally nothing to stop them from doing it when you're 100% legal or not. Habeus Corpus and all that jazz

      • Re: (Score:3, Insightful)

        by Jerry Coffin (824726)

        Truecrypt is freeware (open source) and is secure. In fact, it's more secure than any commercial offering I know of, due to its plausible deniability features. The source is there, it has been examined by experts and you can take a look yourself. Encryption options include both AES and Twofish, both known to be secure.

        They're not"known to be secure". They're simply not known to be insecure.

        One of the basic problems in cryptography is that security is essentially impossible to prove -- about the best

    • by DaedalusHKX (660194) on Sunday August 03, 2008 @11:59AM (#24456619) Journal

      Rules for dealing with government are simple. Do not get involved in their business, do not play their games, do not volunteer anything, do not agree to anything, do not play with them, or for them. Once you do, your ass is theirs. They own you, with your consent at that.

      By the same principle, don't fuck around, don't trespass, don't steal, and don't be a crook. Learn the law VERY carefully, keep a copy of Black's Law Dictionary (I think 6th edition is out now) in several different versions. Look up innocent looking terms and verbs in forms. DO NOT consent to anything period. Sign nothing. Be sure you know what is "your name" and what is what someone may call you. Practice your rights. Yes... all of them. A right practiced doesn't need to be infringed, because you already don't have it.

      Be very suspicious not of your neighbors but of men in "special" uniforms or funny hats that supposedly give them power over you. Don't let strangers into the house. Homeschool your kids and do a god job, history, law and the local mythology are especially important subjects. Several languages and a good grasp of self defense, tactics and strategy are also quite important. Those with kids who choose to be politically active are extra vulnerable, since kids are the ultimate Achilles Heel.

      Never ever trust strangers. Trust people in uniforms even less. Never ever get into a stranger's car, despite what you see in the movies. If they want to talk to you, they can get into yours. If you are confronted by a "friend from high school" and like most average people you can't remember who you met yesterday, nevermind back then, look behind you, you're probably about to get cattle prodded in the back and shoved into a van.

      These were simple coping strategies for those who were not average plebeians and who survived the cullings of communism. I lost relatives who were educated, men I could've learned much from. I never met them because they were taught that self defense was for cops and soldiers. And when the king's men were gone, and the cops were coopted to communism... there was nobody to protect the smart, educated, "civilized" (i.e. willingly helpless) men from the cleansings. The ones who weren't "lifted" and sent off to Siberia, were enrolled into a front line regiment and given crap gear and no real training. Very few returned, most scarred for life. All I saw of them while growing up were pictures over mantelpieces. Grandmothers mourning long lost brothers or maimed cousins. That is the fate of the helpless of those who depend on others for their protection...

      And what governments are preparing today, the police states being built now, they are so much more insidious, in that they're so much better concealed behind "feel good" intentions and bullshit propaganda about "the good of man". Oh well, fools get what they deserve. There's no stopping it at this point, fools gave up that chance a long time ago. All one can do now is get out of the way and let the Leviathan leap off the cliff with all the fools aboard. Watch the splatter and feel not sorry... they laid their own beds. Trying to save the stupid from their stupidity is what got the world into its sorry state in the first place. The stupid should have been permitted to perish, and Darwin should've been allowed to have his laugh. Instead the stupid were forced to live against their best attempts, so they outbred those who merited survival and to thrive.

      • by quitte (1098453) on Sunday August 03, 2008 @12:19PM (#24456749)

        Sarah Connor? Is that you?

  • by Arimus (198136) on Sunday August 03, 2008 @11:22AM (#24456277)

    Depending on how you define secure then no, Hushmail is not.

    Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted.

    As for Hushmail - its secure if you trust them to use suitable encryption algorithm, key material, psuedo random number generator, secure processes (not the program kind, the how to do the job kind), secure network, no shady or otherwise agreements with third parties (inc. governments) to provide decrypted data, not to store your orginal plain-text mail for any longer than the time it takes to encrypt it, securely erase the plain-text version etc etc etc. Probably enough holes to drive a bus through...

    • by hacker (14635)

      "Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted."

      Of course you also bring your

      • by ColdWetDog (752185) * on Sunday August 03, 2008 @12:54PM (#24456965) Homepage

        ... bring your own bootable ISO cd/dvd to run the OS from which you compose and encrypt that email, and your own keyboard to ensure there are no hardware key loggers installed, right?

        OK, I'll bite (and I know the you are being a bit sarcastic) but:

        What are you all doing on your computers? If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis. Really now. From your respective basements?

        • by hacker (14635) <hacker@gnu-designs.com> on Sunday August 03, 2008 @01:14PM (#24457095)

          "If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis. Really now. From your respective basements?"

          Isn't that the point? Shouldn't we be portraying that EXACT image to the respective governments who are trying to overthrow us? Seriously, isn't that EXACTLY what they're trying to do with the false security theater that is being thrust upon us with each new day of news reports from the Middle East and domestic?

          You might find the article "Fascist America, in 10 easy steps [guardian.co.uk]" interesting in this context.

          In short, the government SHOULD be afraid of the power of the people, because it is exactly those people, who gives the government their power, not the reverse. We all COULD be harboring plans to overthrow the government, and we should anyway, if they cease to support our rights and needs as a populace. In other words, do what we're expecting of you, or expect to get overthrown. Period.

        • Re: (Score:3, Insightful)

          by turbidostato (878842)

          " What are you all doing on your computers?"

          What's this? Another turn of the old argument "but if you have nothing to hide...?" or what?

          I don't need to give *any* explanation to protect my intimacy.

  • Old News? (Score:4, Informative)

    by zifn4b (1040588) on Sunday August 03, 2008 @11:23AM (#24456291)

    It appears that this was reported back in 2007 on The Register [theregister.co.uk].

    There is indeed a clause in the clarified terms of service mentioned by the above article that states that your data is not safe from law enforcement authorities with a court order [hushmail.com] from Supreme Court of British Columbia, Canada:

    We are committed to the privacy of our users, and will absolutely not release user data without a court order from the Supreme Court of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such court order refer specifically by email address to any account for which data is required. However, if we do receive such a court order, we are required to do everything in our power to comply with the law. Hushmail will not accept a court order issued by any authority or investigative agency other than the Supreme Court of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that a court order be issued by the Supreme Court of British Columbia, Canada.

  • One way to help mitigate this risk is to decentralize aggregated services. If there were five hundred different equivalents to Hushmail, one of them going down would be less of a threat, and many of them going down would be impossible to keep quiet.

    The main problem I can come up with is market differentiation; Mom & Pops work in meatspace because physical proximity matters. With the Internet, when a product (like encrypted email) is difficult to differentiate, it is hard for more than a handful of compe

  • by KrisWithAK (32865) on Sunday August 03, 2008 @11:31AM (#24456359)

    Any developer that has worked closely with jar (zip) files should have immediately notice a possible issue with this announcement. If you use the jar tool to create a jar archive with its default options, it embeds a new MANIFEST.MF file which has a new creation time; therefore, you will get a different jar checksum even if you are archiving the same exact contents. It would have been simply possible that the Hushmail build process created a new jar file (with identical files) for each type of software distribution that they use. The only way we can be sure is to compare the file list and checksum for each file inside of the jar archives.

  • by tkinnun0 (756022) on Sunday August 03, 2008 @11:34AM (#24456387)
    The jar-file is obfuscated, bringing its size down to 270KB from 485KB. The source code archive contains a file verification.txt with this text:

    For those who wish to verify that the class files downloaded when accessing
    Hushmail are genuine, they can be compared against class files compiled from
    source using the following tools.

    Sun JDK 1.5.0_05 for Windows
    Microsoft Java SDK 4.0
    Proguard 3.5 (http://proguard.sourceforge.net)

    Usage of these tools can be determined from the included Makefile and
    proguard.conf. Note that the signing steps in the Makefile cannot be
    accomplished, and so the class files must be compared individually. You cannot
    compare the entire archive.

    The Bouncy Castle Lightweight API Version 1.31
    can be downloaded here:

    http://www.bouncycastle.org/download/lcrypto-jdk11-131.tar.gz

    The archives used by Hushmail are located here:

    https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

    Please ensure that you are comparing the same versions. Sometimes the release
    of source code may lag a few days behind the update of Hushmail.

    Questions can be directed here: https://www.hushmail.com/contact

    I haven't done this verification, but neither has the cryptome author, so I suspect this is a non-story.

  • ...when you encrypt via the web interface.

    The only secure way is to download the encryptor (source code available) and encrypt before it leaves your machine.

    Or you could do what the terrorists do and encrypt a file with one of the bazillion encryption utilities and openly send it as an attachment via hotmail. Duh!

  • Mixmaster (Score:5, Informative)

    by trewornan (608722) on Sunday August 03, 2008 @11:46AM (#24456503)

    If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.

    In general it's a bad idea to be confident in your encryption - if the Germans hadn't been so confident in Engima they might have done much better militarily.

    Any provider like this can ultimately be compelled to cooperate with security services and you've therefore got to assume they are working with major governments to compromise your communications. Common sense really.

    That said, something like Mixmaster [sourceforge.net] is a good place to start. Makes it very difficult to be located by any legal process although (of course) it won't help if the NSA takes an interest.

    Hushmail? Compromised almost as soon as it was set up I'd wager.

    • Yeah, that's pretty much why the NSA is so fanatic about being able to break encryption. Being able to read the Japanese and German codes was a decisive advantage in winning WWII. Just imagine how different the world would be if the free nations had lost. Even accepting a peace treaty that ended the war but left Germany or Japan still standing would be an entirely different world today.
    • Re:Mixmaster (Score:4, Insightful)

      by bcrowell (177657) on Sunday August 03, 2008 @02:08PM (#24457565) Homepage

      If you want encryption guaranteed against major governments you have to go with a one time pad.

      Oh, please. You've done a good job of using impressive terms to sound like you know what you're talking about. If you want to talk about the real-world risks of having your crypto broken, then you need to consider all the real-world methods by which your crypto could be broken. It doesn't matter that a one-time pad can be theoretically proved to be invulnerable to certain kinds of attacks, to which various symmetric and asymmetric ciphers are theoretically vulnerable. What matters is the actual types of attacks that are practical and likely, and the actual problems you'll have in the practical implementation of a particular method. If you're using a one-time pad, then there are several obvious, well-known things that can go wrong: (1) you have to physically exchange the one-time pads, which may be difficult to do (and do securely) if the NSA is really following you everywhere, opening your mail, etc.; (2) both parties have to maintain the security of their own copies of the one-time pads, which may be difficult to do if the NSA is really determined to get them; (3) there is a tendency for users to get lazy and reuse a one-time pad, which then makes you vulnerable to certain kinds of attacks. Standard symmetric and asymmetric ciphers are more or less immune to these problems (#1: swapping passwords securely is a lot easier than swapping large amounts of binary data securely; #2: you can keep the password in your head instead of stuffing a keychain drive under your mattress; #3: no such issue). Yes, there are also certain kinds of attacks to which standard ciphers are vulnerable and one-time pads invulnerable (e.g., dictionary attacks on your password, shoulder-surfing,...) One-time pads are not magic pixie dust for cryptography. There is no magic pixie dust for cryptography. The good news is that we're living in a golden age of privacy, in the sense that you can legally, publicly get software to do encryption so good that essentially your main worry is no longer the encryption, it's the social/personal/legal issues surrounding its implementation.

  • "Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication"

    No, it's most probably controlled by one of the brancges of the security services .. :)
  • Hushmail was never safe, not from a cryptographic perspective. Hushmail kept a copy of your private key, AND the passphrase for that key would be sent to their servers. The drug investigation demonstrates why that is unsafe, but anyone with a basic understanding of cryptography knew that it was a possibility long ahead of time.

    It is a matter of convenience trumping security.
  • Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?

    I think the submitter answered his own question.
  • by Beryllium Sphere(tm) (193358) on Sunday August 03, 2008 @02:00PM (#24457513) Homepage Journal

    Hushmail only stores your private key in encrypted form, encrypted with your passphrase. It gets decrypted only on your machine, by the Java applet. Yes, this does mean your security depends entirely on the strength of your passphrase. Use http://www.diceware.com./ [www.diceware.com]

    As for hashes being easy to crack, please. A dictionary attack isn't a crack of a hash, and reversing a hash algorithm is still beyond the state of the published art. Making collisions, yes, but recovering original text, no.

  • by Casandro (751346) on Monday August 04, 2008 @12:50AM (#24462503)

    Seriously if it's a commercial company based in the US, forget about security. They can easily be pressured to do everything the government wants.

    If you want security you have to do it yourself. Install Gnu Privacy Guard and encrypt all your e-mails. Then use TOR hidden services to set up your own e-mail servers to be sure your traffic information will stay private.

"It's like deja vu all over again." -- Yogi Berra

Working...