how hush is hushmail?

Discussion in 'privacy technology' started by marcodemarco, Feb 19, 2009.

Thread Status:
Not open for further replies.
  1. marcodemarco

    marcodemarco Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    14
    How secure is hushmail. I think it does not carry the ip of the sender. when i sent an email to myself with a proxy thru yahoo it had my ip in headers but hushmail did not. Can the senders email location be traced with hushmail?
     
  2. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    Well even gmail hides ip headers , I have read in some places that hush mail has to turn your data over to the feds so I just stayed away from these guys.
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    If you want to hide your IP and hush mail is not including your IP in the headers, that that is what you need. If, on the other hand, you want to encrypt messages, I'd suggest you use your own encryption solution (like Thunderbird+Enigmail+GnuPG, for instance).
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
  5. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    Hushmail is totally insecure. They handed over E-mails of not just one person, but hundreds of people in relation to the steroids. The total amount of E-mails they handed over totaled over 9 dvds worth. The government used the emails as evidence against the alleged dealers, and also to compile a database of tens of thousands of addresses that were included in E-mails to the steroid people. Do a google search for operation raw deal and it goes into more details of what they did and how they did it. Pretty much it was a massive breach of privacy, of the tens of thousands of addresses they got, they only arrested a bit over one hundred people (I think they said they were searching through the addresses for famous athletes, but didn't care much about 'normal' people). They either used bugged Java applets, or they sniffed passphrases of users in the split second they were on their servers if the users opted for the javascript option instead of Java.

    I am amazed Hushmail manages to stay in business now that it has been revealed how incredibly weak the protection their service offers is.
     
    Last edited: Feb 20, 2009
  6. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    Yea I no people think these guys are good even though there not, I always stick with lavabit or xeromail but that's just me.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Would I be considered the most idiotic guy on the forum if I bothered to ask why you guys decided Hushmail was so evil because they helped to get at proven criminals? Sometimes this whole privacy thing gets out of hand. I am for the right to not have your privacy breached without reason, but I sure as hell am not for the right of the guy selling the drugs and his buyers to not have everything they own searched, the evidence collected, and them being tossed into the closest barred room.

    If some of these so called "privacy advocates" had their way, law enforcement would essentially have their hands tied behind their backs. I say hooray to Hushmail in this particular instance. Now, that's not to say I'm condoning what does appear to actually be weak protection from Hushmail, but I applaud them turning over the information requested in this instance. If you want to commit a criminal act and don't want to get caught, either don't do it or use a service in a country not under the influence of any other nation's laws.
     
  8. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    Well true that works great as long as its not abused that's my only view on it, sadly a lot of times it ends up getting abused.
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Exactly Jon, no laws are perfect (they're made by imperfect beings), and abuses can and do happen. Some just take their right to privacy to the extreme (the actual RIGHT to privacy doesn't exist if you read the U.S Constitution). Some seem to prefer privacy over safety, which is an incredibly stupid and dangerous mindset. BOTH privacy and security can be achieved. But, due to certain past failures (aka Sept 11), and the distrust of the people to have their government protect them from those failures, lawmakers are quick to pass measures without fully considering every possible scenario that could cause the measure to fail or be subject to abuse.
     
  10. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    Yea you are correct I guess I am just big into privacy but sadly someone out there always has to screw it up for us, every system that we enjoy to give us privacy ends up getting abused.
     
  11. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    In Nazi Germany it was essentially illegal to be Jewish. Would you applaud Hushmail if they turned over the addresses of a Jewish mailing list in that era? Extreme example, Godwin etc, but the thing is where do you draw the line? The law is just a bunch of words, it isn't the Moral code of humanity. Steroids are not illegal in much of the world, but they still gathered everyones addresses, even those who broke no laws where they live. Is USA the police of the world? Do they have a right to store the address of a Mexican National who legally purchased steroids that are illegal under American law?

    Why does someone who chooses to use Steroids deserve to be prosecuted anymore than someone who chooses to practice the Jewish religion? Because propaganda says so? Now I am not a steroid user and have nothing to do with this case, but it disgusts me how people don't seem to think of the big picture but rather focus on what is force fed down their throats by a Government with an extremely corrupt agenda, the agenda that is given to them by Big Pharmaceuticals, Big Tobacco and Alcohol and the private prison industry (and the construction industry who builds the prisons) who donate billions of dollars to politicians, not to mention law enforcement who have the majority of their jobs depend on outlawing substances.

    Besides, if "Criminals" (whatever that word means, is a Jewish professor in Nazi Germany a criminal because the law says so?) are not provided privacy and safety by a service then no one is. What will you think when they make it illegal for you to do whatever it is you do?

    In China it is illegal to speak out against the Chinese government. Should Hushmail turn their emails over to the Chinese government? That is a less extreme example.

    The fact is Hushmail lied about their abilities. I find it hard to believe they didn't know of the flaws in their system but regardless they sold it as secure. Hushmail has no security for "criminals" so it has no security for anyone, any day the law can change to make anything illegal and anyone a criminal. What about Torrents, do you ever use them? Then you are a Criminal most likely. When the law and even morality (which is subjective) are a variable in a security system, the security system is not worth anything at all and is flawed. Hushmail should go out of business and hang their heads in shame for selling lies.

    I am not so much saying hushmail is evil for assisting the government, they had no choice. They are however liars for saying that their system was stronger than they obviously knew it to be. Liars are quite evil in my opinion.

    Now please don't think of me as an ignorant drug using "hippie", I am neither. But I hate to see people defend a flawed system just because the flaw was used against drug users. Don't take this as a personal attack, all I am saying is think of the big picture (if criminals are not safe with a system, no one is) and also think outside of the box (Why are drug users less than non drug users? Whose rights do they violate? Thieves violate rights. Rapists violate rights. Bullies violate rights. Drug users sometimes violate rights, but using drugs is not inherently violating the rights of others).

    Also, I differentiate between the right of private organizations to ban steroid use (sports organizations, body building clubs) and the 'right' of the government to dictate morality.
     
    Last edited: Feb 21, 2009
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Right. And I read originally that this was growth hormone. I remember a few years ago they arrested a school teacher for bringing DHEA into the country from a trip overseas. It was a small amount for personal use. It is now a common nutritional supplement. The drug companies (through the FDA) have waged a war on nutritional supplements with all kinds of bogus studies and misinformation. There has been a lot of misinformation in the last few years, if you know what I mean. More and more I am seeing the truth in the statement, "power corrupts. Absolute power corrupts absolutely".
     
  13. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Just think about the effect of announcing that everyone's personal conversations and connections are being logged, including reporters, peace groups, PETA etc.... Where does that leave the whistle blowers and anonymous news sources that we have relied on to get some truthful information?? Those who are normally afraid to speak, and with good reason? ALL people will be careful about what they say. Most people, to some degree, will think twice about what they read for fear of it being used against them. And I am not talking about illegal material either. Freedom of the press, freedom of speech, and a right to privacy will all take a big dive. We will have degraded further into the moral decay that had begun 8 years ago, spreading like a virus.
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    What concerned me about Hushmail was not that they cooperated with Law Enforcement, but that they decided the bar was so low over what they would cooperate for which makes it a sacrifice of some integrity.

    If it was they verified that the guy was communicating with known terror cell deathtoamericajihadxyz or posting images to nambla usenet group, i can understand their willingness. There is real and immediate physical danger. That the reality was someone selling pills/chemicals which may or may have not been legal because he didn't have approval from the guild of that realm is disturbing. They are fully within their TOS to do so, but it demonstrates that their house is made of straw, and a strong gaze in their direction is enough to get them to bow down. Of course, I don't want pill sellers spamming through XB, but we would just kick them instead, or block their spam from going out.

    So if they use their TOS to crack down on people selling pills, would they then give up user info if a traffic warden showed up with a parking violation? Just how low is the bar? Is there a bar?
     
  15. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    They actually heavily modified their threat model (and possibly TOS, not sure) after the steroid thing went down. Before that, they actually bragged about how their service could prevent government monitoring, and that even they couldn't get at their users e-mails, if I recall correctly. Pretty much they knowingly sold snake oil, and didn't admit to it until they made international news.
     
    Last edited: Feb 21, 2009
  16. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    Also, the entire thing was totally politically motivated. It was shortly before the Olympics, and the raw steroids were all produced in China, where the Olympics was hosted. coincidence? I think not, especially since the DEA report mentioned that it had been going on for around three years before they finally decided to do something about it. Funny that they waited until right before the Chinese hosted Olympics to bust such a thing.....could almost lead one to believe that they didn't so much care about steroids per-se, but rather wanted to tie China to steroid distribution right before the Olympics.

    I agree though, if it was terrorists I wouldn't care near as much. But it wasn't, it wasn't about rights violations it was about embarrassing the Chinese government in front of the international community, and the users and dealers were merely collateral damage as far as they were concerned.

    Also, it wasn't spamming (like the Viagra spam, for example). It was steroid sellers using Hushmail to communicate with their customers, as far as I know it was totally customer to customer word of mouth advertising. Also, a large percent of the people involved broke no laws in the countries they lived in, but they still had their addresses harvested and their supposedly secure E-mails read so that a case could be made against the people who actually did break the law (mostly americans).

    It is funny to hear the DEA spokesperson talk about the case. She went on about how the Government has 'secret' abilities to read even encrypted E-mails, made themselves out to look like some omnipotent being that nobody and no technology could hide from. Funnily she didn't mention that it was a very non-sophisticated attack against an inherently weak security model.

    Speaking of inherently weak security models, it is my belief that ALL web based encryption services are totally flawed. If you want truly secure e-mail, you should encrypt with GPG and connect to the service with Tor or Xerobank. Web based encryption services that don't use a secure, standard (non java applet, which can be specifically bugged on a user by user basis) client side component are all snake oil. Hushmail, Safe mail, cyber rights, etc.... they are all flawed security models and totally worthless.

    To be really secure, you should use GPG for key distribution and use a symmetric encryption algorithm such as Serpent to encrypt the messages. Future messages can be encrypted with a hash of the old key, for forward secrecy.

    The one advantage of using safe-mail is that all E-mails from them are encrypted, so pre-encrypting your messages wont stand out and draw attention to them (a passive adversary wont notice you are using pre-encryption, as they would if you are using hotmail for example). Hushmail requires Java or Javascript though, so it is better to not use them at all, because Java and Javascript can be used to exploit Tor and to a much much lesser extent could technically be used to exploit xerobank if a malicious exit node ever arose (which to my understanding is unlikely, although not impossible). Also, bugged Java applets can do a lot more than just exploit anonymity networks and tap E-mail.

    Also, and Steve please correct me if I am wrong, but I believe that although Xerobank protects against a malicious exit node inserting a bugged Java applet (such as Torment, for Tor), it wont protect against a server accessed via the anonymity network from obtaining the users real IP address if the server is the one sending the bugged applet (such as hushmail could do).
     
    Last edited: Feb 21, 2009
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    XeroBank does not allow participation, so it is immune to exit node injections. XeroBank also prevents bugged applets, applications, etc like skype/java/flash from revealing a users real IP address because it uses full low-level VPN implementation on OSI layer 3/4. You get even stronger protection with XeroBank cryptorouters, which protect at layer 2/3.
     
  18. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Steve, just a quck question: Are the Cryptorouters available for personal use yet? I have taken a look at the Janus device and was curious because of Kyle's involvement if it's the same thing?
     
  19. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Same hardware, different software core. Kyle informs me that OpenVPN and SSH services have been completed, and he's now working on the visual interface.
     
  20. marcodemarco

    marcodemarco Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    14
    +1 I agree with that. No sympathy for criminals but do also not condone thier weak protection and the apparent hiding of this. I also find it hard to believe hushmail could have any system no one could ever get at, i don't think computers are that 'ungettable at
     
  21. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    What is ethical, legal, moral in your country may be unethical, illegal, or immoral in another country. For example, what if Iran served papers to Hushmail to disclose the identity of someone, because they were suspected of being homosexual (for which the punishment is execution.) This may be "evil" in Iran, just like selling steroids is "evil" in Canada or wherever. You may balk at this comparison, but you will find that your scope is limited to moral relativism.

    The body of what we consider laws do not govern what is universally and objectively moral or immoral, they merely reflect what a particular society is comfortable with. What your society thinks is a right, others will say is inhuman, and vice versa. To foist one's cultural limitation on others, such as nannying what chemicals people can put in their bodies, is both ethnocentric, arrogant, and does not reflect the sovereignty of the human being or the sovereignty of another country.

    Quite simply, If I don't live in your country, I am not bound by your laws, and you are not bound to help others enforce them against me. This creates a dilemma in a service provider. Who's laws do they decide to uphold? Their country of jurisdiction? Any law enforcement body that inquires? What if the user is outside of the jursidiction of the inquiry? What if the inquiry comes from a country that has no jurisdiction over the corporation? Obviously a standard has to be set. The problem as I see it is that Hushmail set a low bar.
     
  22. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    This is confusing the issue. Cryptography is a neutral tool. However people my use it to do things which is morally objectionable to you.

    In either case, back on topic, I believe it was the use of a non standard client that meant the keys were not on the users computer but on Hushmail's servers that allowed them access to the accounts.

    Re hushmail's system, I dont you can say either way whether they really have a secure system. Their standard client may well be secure. However wouldnt trust them anyway after that event. If your business relies on keeping data private and you have an epic fail like that...
     
    Last edited: Feb 22, 2009
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Look I agree that there are gray areas galore in something like this, but if Hushmail is in the U.S, then it doesn't matter if a customer is Iranian, Chinese, whatever, they HAVE to abide by the laws of the country they are in. If the drugs were shipped to China to a Chinese user, then no, they aren't going to go after that guy. They go after who they can get to, which is U.S citizens. As far as the U.S being world police, don't even get me started because it would just be one long anti-U.S rant. I detest how they are influencing so many other nations they have no right trying to influence.

    Back on topic, a lot of laws are just plain silly, but without them, well, you don't want to see that, I have. Hushmail had to do what it had to do. Their security is an entirely different matter and no, I would not use them knowing what I know now.
     
  24. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    so which provider is secured?
     
  25. AnonG

    AnonG Registered Member

    Joined:
    Oct 26, 2008
    Posts:
    28
    Location:
    Central Europe
    I couldn't have said this any better. These are the reasons why I have gone to great lengths at protecting my privacy and anonymity online and ITRW. Even though I live in a democratic European country it seems that Iran like state guardianship is increasing in the West and doesn't seem to be stopping. Phil Zimmerman said in an interview conserning the Hushmail case that the best way to protect your email is to do it yourself. Once you sign up for a service you have very little if any control over your data.
     
Loading...
Thread Status:
Not open for further replies.