Attention Hushmail users, your e-mail content belongs to them

page: 1

log in


posted on Nov, 8 2007 @ 07:15 PM
I've stumbled across an interesting find. There was a legal matter recently involving an individual and the DEA (Drug Enforcement Agency) in the U.S. To be brief, the DEA had reasonable grounds to believe that a person was soliciting anabolic steroids, a crime with serious repercussions at least in the U.S. This individual had setup shop on the Internet and used a free email service to communicate with potential buyers/sellers. The e-mail service in question was Hushmail. The DEA obtained e-mail records from Hushmail and have since filed legal proceedings.

Here's where things get interesting. The DEA made requests via the MLAT or Mutual Legal Assistance Treaty. MLAT provides law enforcement with a means to obtain legal assistance from other countries in matters such as these. The requests to Hushmail yielded several CD's worth of information in regards to this case.

I have no issue with MLAT. I have no issue with the fact that law enforcement is doing their job. I have no issue with the ISP's relinquishing information in this particular matter. However I do have a serious issue with Hushmail. For those not familiar with Hushmail, here is a brief overview:

Hushmail is a Web-based e-mail service that lets you send and receive email in total security. Hushmail messages, and their attachments, are encrypted using Open PGP standard algorithms. These algorithms, combined with Hushmail's unique key management system, offer users unrivaled levels of security. Hushmail's security is end-to-end; messages are encrypted before leaving the sender's computer and remain encrypted until after they arrive on the recipient's machine, where the contents are automatically decrypted.

Not even a Hushmail employee with access to the encrypted email stored on our servers can read your email, because the email remains encrypted in storage. A Hushmail account lets you communicate in total security with any other Hush member anywhere else in the world.

Note that last paragraph, not even a Hushmail employee with access can read the e-mail and your communications have total security and privacy. So how is then that numerous CD's of this persons wrongdoings were made available. To be specific this was the e-mail content. Again I'm not questioning that this person did wrong. He has committed a crime, but this clearly indicates that encrypted e-mails are readily available. To make matters even worse, here's another excerpt from Hushmail:

Hushmail's security cannot be broken or weakened by this government sponsored snooping software. Hush's security system is a lot like a circuit, when one Hush user communicates with another Hush user, the circuit is complete and the mail they send is completely safe. To anyone other than the sender or the recipient of a Hush message, email appears as a jumble of numbers and letters. It is completely illegible. The only way to decrypt or unscramble Hush messages is by using your passphrase when you open up your Hushmail account. Carnivore cannot decrypt your mail, and is therefore, powerless against messages sent between Hush users.

This outlines the alleged strategic advantages of using Hushmail. Even the FBI's notorious Carnivore data mining and analyzing software can't read your email. So how exactly were the contents retrieved. A few have surmised that the users passphrase was somehow snagged but do we really know. Also to be fair here Hushmail users can send to others who do not use Hushmail thereby negating the encrypted process. It seems though in this particular case both parties were using the Hushmail address so there is strong belief that both sides were encrypted, otherwise what would be the point of using the service.

Avoid Hushmail at all costs if privacy is your intention.

MLAT details

case details:


posted on Nov, 8 2007 @ 07:21 PM
If not hushmail, then whom do you recommend?


posted on Nov, 8 2007 @ 08:02 PM

Originally posted by dr_strangecraft

If not hushmail, then whom do you recommend?


Good question. I was a Hushmail user but am seeking alternatives now. Still the underlying question here is how did they get the e-mail content. If this style of encryption is not the protective umbrella we think it is then it becomes increasingly difficult to find options.


posted on Nov, 8 2007 @ 08:17 PM
Most hackers would laugh at the idea of unbreakable encryption, or 'secret' emails. You could probably get the passphrase just by social engineering if the interest was strong enough. Next step would be keylogging using a Tempest truck out on the street.

Some people suggest, at least a few years ago they did, that the certain US agencies was ten steps above the rest of the world wrt encryption/decryption abilities. They could probably break most encryption by brute force over the weekend if the need was great enough.

Finally, who's to know if there hasn't been a backdoor built into something, making decryption a trivial matter.

For casual use, one might use a double encryption method. Or include something like the Navajo language plus the normal encryption. That way even if the code were broken, the message would not be interpreted. (The British tried to use Welsh like this in WWII)

2 centi-quatloos...

[edit on 8-11-2007 by Badge01]

posted on Nov, 8 2007 @ 08:40 PM
Comrad everything coming in and out of the USA via phone and e-mails is checked by your countries super computers. Everytime you write or speak a tagged word, your phone call or e-mail jumps to high priority. Say, "Hello" to Big Brother and you Uncle Sam; their listening and reading.

So... jump in there and grab your share of attention... hahahaha.

posted on Nov, 8 2007 @ 11:39 PM
I remember hearing back about the millennium or so, that PGP had a built in key for the US intel and law enforcement.

My understanding was that PGP uses a system of "public key/private key," where you can give the other key to your confederate. But I thought the NSA had delayed the release of PGP until they had inserted a second "private key" just for them, rendering decrypt a trivial exercise.

I figure its only a matter of time until organized crime penetrates the govt and gets the USG key. Then PGP will quickly become old hat.

Here's the strategies I'd recommend:

1. Conlang.
Invent a new, authentic language, and use that to communicate. In that case, you can use ANY email you want. Constructing a language is not as hard as it sounds, and you can make a "model" language of just a few hundred words. The trick is to use an alien grammar system. My experience working with US feds is that they are extremely short on linguistics and liberal arts in general. They seek the technical solution over the human, which is why we weren't expecting the 1979 Iran revolution. But that's another thread. Making your own language is called "conlang," for constructed language. Wikipedia article has links to good sites, including the "language construction kit."

2. Download a computer model of the enigma machines, or purple code from WWII. There are dozens of downloadable enigmas online for free. A number of amateur cryptologists actuall re-decrypt the famous messages from the Abwehr from WWII. While they are obviously dated, local law enforcement wont have a chance. And even the Feds will have to spend a weekend or so figuring out exactly which one you used, and then a bit trying to suss out your settings. Enigma-type machines are not true encryption, but they will take resources to break, and buy you time. I suggest putting false information in PGP and enigma-ed emails, that could confuse them with your conlang or number 4 below.

3. A one time pad
This is the only truly unbreakable cypher. A random (not computer generated and thus pseudo-random) series of numbers on a pad. your correspondent has a copy. You use each page of the pad only once. each number tells you to shift the answer x number of spaces forward in the alphabet. This really IS unbreakable, until the man gets a copy of your pad.

4. Handwritten cyphers
I believe that the governments have become extremely dependent upon digital evidence; so much so that they are ill-prepared for handwritten cyphers. Just look at the trouble the online community has, trying to quantify the "letters" in the voynich manuscript. They can't even agree on how many letters there are in the text!

new topics
top topics

log in


Off The Grid with Jesse Ventura and Partner Up to Stay Vigilant
read more: Ora.TV's Off The Grid with Jesse Ventura and Partner Up to Stay Vigilant