how hush is hushmail?

How secure is hushmail. I think it does not carry the ip of the sender. when i sent an email to myself with a proxy thru yahoo it had my ip in headers but hushmail did not. Can the senders email location be traced with hushmail?

 

Well even gmail hides ip headers , I have read in some places that hush mail has to turn your data over to the feds so I just stayed away from these guys.

 

If you want to hide your IP and hush mail is not including your IP in the headers, that that is what you need. If, on the other hand, you want to encrypt messages, I'd suggest you use your own encryption solution (like Thunderbird+Enigmail+GnuPG, for instance).

 

Hushmail hacked one of their users to capture their password, when they were approached by federal agents about one of their users supposedly selling steroids via email. They ended up handing over 2 discs worth of the users emails.

http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html

http://arstechnica.com/security/news/2007/11/secure-hushmail-can-still-talk-to-the-feds.ars

 

Hushmail is totally insecure. They handed over E-mails of not just one person, but hundreds of people in relation to the steroids. The total amount of E-mails they handed over totaled over 9 dvds worth. The government used the emails as evidence against the alleged dealers, and also to compile a database of tens of thousands of addresses that were included in E-mails to the steroid people. Do a google search for operation raw deal and it goes into more details of what they did and how they did it. Pretty much it was a massive breach of privacy, of the tens of thousands of addresses they got, they only arrested a bit over one hundred people (I think they said they were searching through the addresses for famous athletes, but didn't care much about 'normal' people). They either used bugged Java applets, or they sniffed passphrases of users in the split second they were on their servers if the users opted for the javascript option instead of Java.

I am amazed Hushmail manages to stay in business now that it has been revealed how incredibly weak the protection their service offers is.

 

Yea I no people think these guys are good even though there not, I always stick with lavabit or xeromail but that's just me.

 

Would I be considered the most idiotic guy on the forum if I bothered to ask why you guys decided Hushmail was so evil because they helped to get at proven criminals? Sometimes this whole privacy thing gets out of hand. I am for the right to not have your privacy breached without reason, but I sure as hell am not for the right of the guy selling the drugs and his buyers to not have everything they own searched, the evidence collected, and them being tossed into the closest barred room.

If some of these so called "privacy advocates" had their way, law enforcement would essentially have their hands tied behind their backs. I say hooray to Hushmail in this particular instance. Now, that's not to say I'm condoning what does appear to actually be weak protection from Hushmail, but I applaud them turning over the information requested in this instance. If you want to commit a criminal act and don't want to get caught, either don't do it or use a service in a country not under the influence of any other nation's laws.

 

Well true that works great as long as its not abused that's my only view on it, sadly a lot of times it ends up getting abused.

 

Exactly Jon, no laws are perfect (they're made by imperfect beings), and abuses can and do happen. Some just take their right to privacy to the extreme (the actual RIGHT to privacy doesn't exist if you read the U.S Constitution). Some seem to prefer privacy over safety, which is an incredibly stupid and dangerous mindset. BOTH privacy and security can be achieved. But, due to certain past failures (aka Sept 11), and the distrust of the people to have their government protect them from those failures, lawmakers are quick to pass measures without fully considering every possible scenario that could cause the measure to fail or be subject to abuse.

 

Yea you are correct I guess I am just big into privacy but sadly someone out there always has to screw it up for us, every system that we enjoy to give us privacy ends up getting abused.

 

In Nazi Germany it was essentially illegal to be Jewish. Would you applaud Hushmail if they turned over the addresses of a Jewish mailing list in that era? Extreme example, Godwin etc, but the thing is where do you draw the line? The law is just a bunch of words, it isn't the Moral code of humanity. Steroids are not illegal in much of the world, but they still gathered everyones addresses, even those who broke no laws where they live. Is USA the police of the world? Do they have a right to store the address of a Mexican National who legally purchased steroids that are illegal under American law?

Why does someone who chooses to use Steroids deserve to be prosecuted anymore than someone who chooses to practice the Jewish religion? Because propaganda says so? Now I am not a steroid user and have nothing to do with this case, but it disgusts me how people don't seem to think of the big picture but rather focus on what is force fed down their throats by a Government with an extremely corrupt agenda, the agenda that is given to them by Big Pharmaceuticals, Big Tobacco and Alcohol and the private prison industry (and the construction industry who builds the prisons) who donate billions of dollars to politicians, not to mention law enforcement who have the majority of their jobs depend on outlawing substances.

Besides, if "Criminals" (whatever that word means, is a Jewish professor in Nazi Germany a criminal because the law says so?) are not provided privacy and safety by a service then no one is. What will you think when they make it illegal for you to do whatever it is you do?

In China it is illegal to speak out against the Chinese government. Should Hushmail turn their emails over to the Chinese government? That is a less extreme example.

The fact is Hushmail lied about their abilities. I find it hard to believe they didn't know of the flaws in their system but regardless they sold it as secure. Hushmail has no security for "criminals" so it has no security for anyone, any day the law can change to make anything illegal and anyone a criminal. What about Torrents, do you ever use them? Then you are a Criminal most likely. When the law and even morality (which is subjective) are a variable in a security system, the security system is not worth anything at all and is flawed. Hushmail should go out of business and hang their heads in shame for selling lies.

I am not so much saying hushmail is evil for assisting the government, they had no choice. They are however liars for saying that their system was stronger than they obviously knew it to be. Liars are quite evil in my opinion.

Now please don't think of me as an ignorant drug using "hippie", I am neither. But I hate to see people defend a flawed system just because the flaw was used against drug users. Don't take this as a personal attack, all I am saying is think of the big picture (if criminals are not safe with a system, no one is) and also think outside of the box (Why are drug users less than non drug users? Whose rights do they violate? Thieves violate rights. Rapists violate rights. Bullies violate rights. Drug users sometimes violate rights, but using drugs is not inherently violating the rights of others).

Also, I differentiate between the right of private organizations to ban steroid use (sports organizations, body building clubs) and the 'right' of the government to dictate morality.

 

Right. And I read originally that this was growth hormone. I remember a few years ago they arrested a school teacher for bringing DHEA into the country from a trip overseas. It was a small amount for personal use. It is now a common nutritional supplement. The drug companies (through the FDA) have waged a war on nutritional supplements with all kinds of bogus studies and misinformation. There has been a lot of misinformation in the last few years, if you know what I mean. More and more I am seeing the truth in the statement, "power corrupts. Absolute power corrupts absolutely".

 

Just think about the effect of announcing that everyone's personal conversations and connections are being logged, including reporters, peace groups, PETA etc.... Where does that leave the whistle blowers and anonymous news sources that we have relied on to get some truthful information?? Those who are normally afraid to speak, and with good reason? ALL people will be careful about what they say. Most people, to some degree, will think twice about what they read for fear of it being used against them. And I am not talking about illegal material either. Freedom of the press, freedom of speech, and a right to privacy will all take a big dive. We will have degraded further into the moral decay that had begun 8 years ago, spreading like a virus.

 

What concerned me about Hushmail was not that they cooperated with Law Enforcement, but that they decided the bar was so low over what they would cooperate for which makes it a sacrifice of some integrity.

If it was they verified that the guy was communicating with known terror cell deathtoamericajihadxyz or posting images to nambla usenet group, i can understand their willingness. There is real and immediate physical danger. That the reality was someone selling pills/chemicals which may or may have not been legal because he didn't have approval from the guild of that realm is disturbing. They are fully within their TOS to do so, but it demonstrates that their house is made of straw, and a strong gaze in their direction is enough to get them to bow down. Of course, I don't want pill sellers spamming through XB, but we would just kick them instead, or block their spam from going out.

So if they use their TOS to crack down on people selling pills, would they then give up user info if a traffic warden showed up with a parking violation? Just how low is the bar? Is there a bar?

 

They actually heavily modified their threat model (and possibly TOS, not sure) after the steroid thing went down. Before that, they actually bragged about how their service could prevent government monitoring, and that even they couldn't get at their users e-mails, if I recall correctly. Pretty much they knowingly sold snake oil, and didn't admit to it until they made international news.

 

Also, the entire thing was totally politically motivated. It was shortly before the Olympics, and the raw steroids were all produced in China, where the Olympics was hosted. coincidence? I think not, especially since the DEA report mentioned that it had been going on for around three years before they finally decided to do something about it. Funny that they waited until right before the Chinese hosted Olympics to bust such a thing.....could almost lead one to believe that they didn't so much care about steroids per-se, but rather wanted to tie China to steroid distribution right before the Olympics.

I agree though, if it was terrorists I wouldn't care near as much. But it wasn't, it wasn't about rights violations it was about embarrassing the Chinese government in front of the international community, and the users and dealers were merely collateral damage as far as they were concerned.

Also, it wasn't spamming (like the Viagra spam, for example). It was steroid sellers using Hushmail to communicate with their customers, as far as I know it was totally customer to customer word of mouth advertising. Also, a large percent of the people involved broke no laws in the countries they lived in, but they still had their addresses harvested and their supposedly secure E-mails read so that a case could be made against the people who actually did break the law (mostly americans).

It is funny to hear the DEA spokesperson talk about the case. She went on about how the Government has 'secret' abilities to read even encrypted E-mails, made themselves out to look like some omnipotent being that nobody and no technology could hide from. Funnily she didn't mention that it was a very non-sophisticated attack against an inherently weak security model.

Speaking of inherently weak security models, it is my belief that ALL web based encryption services are totally flawed. If you want truly secure e-mail, you should encrypt with GPG and connect to the service with Tor or Xerobank. Web based encryption services that don't use a secure, standard (non java applet, which can be specifically bugged on a user by user basis) client side component are all snake oil. Hushmail, Safe mail, cyber rights, etc.... they are all flawed security models and totally worthless.

To be really secure, you should use GPG for key distribution and use a symmetric encryption algorithm such as Serpent to encrypt the messages. Future messages can be encrypted with a hash of the old key, for forward secrecy.

The one advantage of using safe-mail is that all E-mails from them are encrypted, so pre-encrypting your messages wont stand out and draw attention to them (a passive adversary wont notice you are using pre-encryption, as they would if you are using hotmail for example). Hushmail requires Java or Javascript though, so it is better to not use them at all, because Java and Javascript can be used to exploit Tor and to a much much lesser extent could technically be used to exploit xerobank if a malicious exit node ever arose (which to my understanding is unlikely, although not impossible). Also, bugged Java applets can do a lot more than just exploit anonymity networks and tap E-mail.

Also, and Steve please correct me if I am wrong, but I believe that although Xerobank protects against a malicious exit node inserting a bugged Java applet (such as Torment, for Tor), it wont protect against a server accessed via the anonymity network from obtaining the users real IP address if the server is the one sending the bugged applet (such as hushmail could do).

 

XeroBank does not allow participation, so it is immune to exit node injections. XeroBank also prevents bugged applets, applications, etc like skype/java/flash from revealing a users real IP address because it uses full low-level VPN implementation on OSI layer 3/4. You get even stronger protection with XeroBank cryptorouters, which protect at layer 2/3.

 

Steve, just a quck question: Are the Cryptorouters available for personal use yet? I have taken a look at the Janus device and was curious because of Kyle's involvement if it's the same thing?

 

Same hardware, different software core. Kyle informs me that OpenVPN and SSH services have been completed, and he's now working on the visual interface.

 

+1 I agree with that. No sympathy for criminals but do also not condone thier weak protection and the apparent hiding of this. I also find it hard to believe hushmail could have any system no one could ever get at, i don't think computers are that 'ungettable at

 

What is ethical, legal, moral in your country may be unethical, illegal, or immoral in another country. For example, what if Iran served papers to Hushmail to disclose the identity of someone, because they were suspected of being homosexual (for which the punishment is execution.) This may be "evil" in Iran, just like selling steroids is "evil" in Canada or wherever. You may balk at this comparison, but you will find that your scope is limited to moral relativism.

The body of what we consider laws do not govern what is universally and objectively moral or immoral, they merely reflect what a particular society is comfortable with. What your society thinks is a right, others will say is inhuman, and vice versa. To foist one's cultural limitation on others, such as nannying what chemicals people can put in their bodies, is both ethnocentric, arrogant, and does not reflect the sovereignty of the human being or the sovereignty of another country.

Quite simply, If I don't live in your country, I am not bound by your laws, and you are not bound to help others enforce them against me. This creates a dilemma in a service provider. Who's laws do they decide to uphold? Their country of jurisdiction? Any law enforcement body that inquires? What if the user is outside of the jursidiction of the inquiry? What if the inquiry comes from a country that has no jurisdiction over the corporation? Obviously a standard has to be set. The problem as I see it is that Hushmail set a low bar.

 

This is confusing the issue. Cryptography is a neutral tool. However people my use it to do things which is morally objectionable to you.

In either case, back on topic, I believe it was the use of a non standard client that meant the keys were not on the users computer but on Hushmail's servers that allowed them access to the accounts.

Re hushmail's system, I dont you can say either way whether they really have a secure system. Their standard client may well be secure. However wouldnt trust them anyway after that event. If your business relies on keeping data private and you have an epic fail like that...

 

Look I agree that there are gray areas galore in something like this, but if Hushmail is in the U.S, then it doesn't matter if a customer is Iranian, Chinese, whatever, they HAVE to abide by the laws of the country they are in. If the drugs were shipped to China to a Chinese user, then no, they aren't going to go after that guy. They go after who they can get to, which is U.S citizens. As far as the U.S being world police, don't even get me started because it would just be one long anti-U.S rant. I detest how they are influencing so many other nations they have no right trying to influence.

Back on topic, a lot of laws are just plain silly, but without them, well, you don't want to see that, I have. Hushmail had to do what it had to do. Their security is an entirely different matter and no, I would not use them knowing what I know now.

 

so which provider is secured?

 

I couldn't have said this any better. These are the reasons why I have gone to great lengths at protecting my privacy and anonymity online and ITRW. Even though I live in a democratic European country it seems that Iran like state guardianship is increasing in the West and doesn't seem to be stopping. Phil Zimmerman said in an interview conserning the Hushmail case that the best way to protect your email is to do it yourself. Once you sign up for a service you have very little if any control over your data.