digg

Join DiggAbout

Digg Townhall now online!
Check out the latest Digg Townhall, where Kevin and Jay answered the top questions from the Digg Community!

Encrypted E-Mail Company Hushmail Spills to Feds

blog.wired.com — Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." But it turns out that statement seems not to apply to individuals targeted by government agencies.

show profanity settings
expand all
  • eecue, on 11/10/2007, -3/+38Wow that's not good. I've never used hushmail, but I know a bunch of security minded folks who do, or did.
    • cuzican, on 11/09/2007, -2/+3I remember signing up for hushmail ~8 years ago and reading how encrypted and safe everything was.. I was like sweet! then I was like I know there is a catch.. I just know it.. So that just goes to show ya.. run you own damn email server.. which I did but I also had my hushmail account.. I'm a dufas!
      • Jomwilli, on 11/09/2007, -4/+1Run your own mail server? Dumbass, that's 1/4th the way there. Encryption?
        • tian2992, on 11/08/2007, -0/+1PGP, sorry GPG
        • cuzican, on 11/09/2007, -0/+2Of course you run encryption but the trade off of running PGP/GPG is too cumbersome for most email users hence it is not ubiquitous.. So, if you read the story it didn't matter how much encryption when you make email convenient... so the best balance is do encryption NOT PGP/GPG and run your own email server.... I forgot that I must spell everything out for n00bs that have no respect to read or try to understand what the other person is saying.. Instead they just name call...
    • hackmyballs, on 11/09/2007, -1/+5oh *****, all those emails I sent to congress about impeaching bush are now in FBI's hands?

      I guess i'm *****!

      *buys ticket to new zealand*
  • lunigma, on 11/09/2007, -4/+36What the *****!
  • hackertamer, on 11/10/2007, -1/+49I commented this on the actual blog as well, but whose idea was it to block out text using vector blocks?
    http://i219.photobucket.com/albums/cc255/hacker_ta ...
    http://i219.photobucket.com/albums/cc255/hacker_ta ...
    • ultrafez, on 11/09/2007, -0/+8Lol somebody got fired
    • Otto, on 11/09/2007, -0/+7HAHAHAH! You'd think they'd learn how to do redaction properly after all this time. Just drawing blocks on the data in Adobe doesn't block them out.
    • mexifelio, on 11/09/2007, -0/+3Someone should forward those pics to Tyler's Lawyer
      • SniperX, on 11/09/2007, -0/+2Be sure to use Hushmail though, so they can't track it back
    • srf21c, on 11/14/2007, -0/+4Observe how Hush, inc. rolls over for the HEINOUS CRIME of purchasing anabolic steroids. Sickenening.
      • srf21c, on 11/14/2007, -0/+2correction: make that purchasing equipment that *could* be used to make a product that the govt does not approve of. *****
  • tehowe, on 11/09/2007, -0/+35This is what PGP is for.
    • Neiby, on 11/09/2007, -3/+8Yes, but using PGP is a hassle. Email encryption, in general, is a hassle. We need to re-think how we're doing things. We really need a simpler way to do it, but I have no idea what that would look like. Imagine how many people would use SSL, as an example, if it's use was as much of a pain in the ass as email encryption is?

      I really have no suggestions because this isn't my field. All I can offer is a user's perspective. I would use email encryption all the time if it were feasible, simply because I think our communications should be secure no matter what is being communicated.
      • capiCrimm, on 11/08/2007, -0/+1well if more people use firefox, it can be as simple as selecting and right clicking your text. (firegpg, it was on front page a couple of times)
      • natedouglas, on 11/08/2007, -0/+1There'd have to be a way to do it in a user-friendly fashion!
        • Rijnzael, on 11/09/2007, -0/+2There is. PGP Desktop's mail proxying feature is an easy way to do it. I use it in conjunction with PGP's Whole Disk Encryption (AES 256 + FIPS hardware token to store the key) to give a reasonably high assurance of privacy.
    • c0nv1ct, on 11/09/2007, -0/+4With Thunderbird and OpenPGP, its not a hassle, encrypt and decrypt with a simple click. I don't see why anyone would pay for a hushmail account when gmail offers imap/pop3 with ssl for free. You wouldn't have to trust some 3rd party to handle your encryption, when you can do it yourself.
    • Jomwilli, on 11/09/2007, -0/+6OK GUYS, How many of you and your friends use Email Encryption? How about Email Digital Certificates?

      Yeah, that's what I though.
  • Afronautica, on 11/09/2007, -6/+36I've always held the belief that signing up to a paid "100% Anonymous" internet/email service is on par with calling up the police to report your weed is stolen.
  • totorototoro, on 11/09/2007, -1/+9So because running Java was too ***** tedious, people just went thru an easier route, which wasn't secure? Damn.
    • asubigsaxy, on 11/09/2007, -3/+4I would think people that want security would deal with the Java. Geez
      • totorototoro, on 11/09/2007, -0/+4I just hope Hushmail popped up a huge warning requestor when people bypassed it: "DANGER WILL ROBINSON! DANGER!"
    • op12, on 11/09/2007, -0/+4Yeah, but as the article mentions, even the Java users could have their information collected. It might involve some more work, but they'd still comply with a court order. So it's not like they were that much more secure from a court order.
      • Rijnzael, on 11/09/2007, -0/+3Indeed. Putting trust in a 3rd party to not be affected by laws, court orders, and subpoenas is a bad idea. The only way to verify privacy is to do these things on your end.
  • serrebi, on 11/09/2007, -0/+13I've seen in many a nfo scene release groups using hush , I thought it was stupid when I saw it.... So, hopefully this will change things...
  • we.are.devo, on 11/09/2007, -0/+6Depressing.
  • swazo, on 11/09/2007, -4/+2haha. I can see all the MoM sites ***** themselves now.
  • isntreal, on 11/09/2007, -0/+11sucks for the comcast mole!
  • SomeImagination, on 11/09/2007, -1/+10Not good news for warez sceners, this could as easily happen to them. I know a lot of groups use hush as their mail provider
    • Jaymoon, on 11/08/2007, -0/+1Or so they say... Seriously do they even respond (or better yet check) those emails?
      • SomeImagination, on 11/09/2007, -0/+1Some do, there was a story about a one man software company that emailed a group asking them to stop releasing his program on the scene. The group emailed back saying they would stop and they did :)
        • daza, on 11/09/2007, -0/+1Ahh f**k, which group was it. I think it was C.O.R.E.! (Champions Of Reverse Engineering). Good on you for remembering that!
          • SomeImagination, on 11/09/2007, -0/+2The C.O.R.E stands for "The Challenge of Reverse Engineering" ;)
  • scronline, on 11/09/2007, -6/+5Erm, check your laws. If they give a VALID search warrant signed by a judge, you MUST comply. If you do not the number of violations they can throw at you are insane. Not the least of which is aiding and abetting (yes, I doubt I spelled it right). That doesn't mean you should just give in when the CIA/FBI/NSA comes calling, but if they have a warrant, you have no choice.
    • williamdyer, on 11/14/2007, -1/+11Which is why any DECENT service would make it so they could only hand over very limited customer records and no cleartext at all. Hushmail is now *****-on-a-*****-boar-useless-mail. The government can go ***** itself, too.
    • rot13ubercrypto, on 11/09/2007, -0/+4I don't believe that the US has the equivalent of the UK's RIP act (I think it's still in force, feel free to correct me.) As I've always understood it, this act requires you to provide means for decryption of encrypted information in your possession to law enforcement, so providers and such would have to have the means to decrypt info if told to do so by police.

      If hushmail really did not have the possibility of decrypting information, no law in the US that I know of (again, correct me if I'm wrong) should oblige them to give police access to that information if it is simply not technically possible for them to do so, warrant or not. Aiding and abetting is not applicable here, as they are providing a service for everyone, and can make the case that they are doing so in good faith.
      • redcard, on 11/10/2007, -0/+3They do. I work at a software company, and we recently had to file disclosures about the types of encryption we use as well as our contact points for disclosing the keys to the encryption..as well as a generic example of what is going to be encrypted.

        • rot13ubercrypto, on 11/10/2007, -0/+2That's mad -- dugg for informative. Isn't this different, though, insofar as it would by extension make PGP Inc. liable for users' encryption keys, or gmail for pgp-encrypted messages stored on its servers? Or is that a bad comparison, since hushmail is actually providing the encryption mechanism?

          I can understand that hushmail would have to turn over decryption keys if they have that possibility -- which sort of fundamentally invalidates the claims they make about "not even employees being able to access your info." At which point we have a back door, and we all know how secure that is...
          • redcard, on 11/10/2007, -1/+1I would suspect that PGP contains a backdoor or something similar for the NSA to be able to access stuff within.
      • srf21c, on 11/14/2007, -1/+2in the US, a civil lawsuit can compel a person to turn over encryption keys or else face contempt of court charges and time in jail.
        • williamdyer, on 11/14/2007, -0/+2They would have to sue the end-users then. Hushmail should not have given themselves the ability to decode users' mail.
        • williamdyer, on 11/14/2007, -0/+2Also, keys can be very temporary, and immediately discarded.
      • jdepp, on 11/09/2007, -0/+1well in the UK, under the RIPA, it's a criminal offense with a five year jail term to withold use of a key that would allow law enforcement agencies to decrypt data for which they have a valid warrant. So if Hushmail ever had the keys in their posession, they would be compelled to turn them over.
    • Nougat, on 11/09/2007, -0/+4Which raises this concern -- this was a Canadian company, and I'll give them the benefit of the doubt that they were adhering to a legal and specific Canadian court order. In the US, as we well know, surveillance is a world-girdling dragnet, collecting up everything from everyone, without specificity, without oversight.

      So, are there any US companies that provide similar services, which have capitulated to such a search without a specific and legal court order?
  • Mjeacoma, on 11/09/2007, -0/+9I am just curious why they couldn't invest in a dvd-r dual layer burner and just burn the data on 2 discs.....
    • Ladadadada, on 11/09/2007, -0/+2What makes you think they actually burnt the data onto 12 CDs ? The article states that it was "12 CDs worth of data" but nowhere does it say that the data was burnt onto 12 CDs.

      For some reason, the media seems to feel the need to draw some comparison of any amount of digital data with a non-digital equivalent such as "24 libraries of Congress" or "37 Encyclopedia Brittanicas" or "Every newspaper in London". It's completely unnecessary and rarely helps anyone to understand the volume of the data any better. In this case, 12 CDs sounds like more data than 2 DVDs. It would mean more to me if they just said 8.5GB... and even more if they split it up into text, meta information (such as headers) and attachments.
  • Mjeacoma, on 11/08/2007, -7/+1I wonder why they didn't just burn the data onto two dual layer dvd-r's....now THAT is what I wonder!
    • Mjeacoma, on 11/08/2007, -0/+6I made my dumb comment but it didn't show so I posted again

      damn digg comment system - should have del
  • ncc74656m, on 11/08/2007, -2/+1I don't see this making a huge difference, honestly. I mean, in the end, who knows, but I think you're going to find a lot of people changing their passwords on a daily basis now just to keep from "remembering" all of them, but in the end, we'll see.
  • freshgrease, on 11/09/2007, -0/+7Man, Sometimes I just want to hang Big Brother.
    • roguetrick, on 11/09/2007, -0/+3In Soviet Russia, Big Brother hangs YOU!
  • gaiserrc, on 11/09/2007, -0/+4Getting lazy and using the less secure method at Hushmail and getting caught... priceless
  • jscnet, on 11/09/2007, -2/+6http://www.pgp.com or http://www.gnupg.org --> problem solved.
    • Jomwilli, on 11/09/2007, -1/+4no, the people on the other end (Receiving) also has to have pgp or gpg installed.

      Guess what, there's a good chance your mom doesn't. Nor Grandma, your girlfriend, or your buddy that sends you random nude pictures at work.
    • jdepp, on 11/09/2007, -0/+2=> don't start a criminal operation with your gran or your girlfriend or the buddy who sends you random nude pictures!
  • ashlvsya, on 11/09/2007, -1/+10Thunderbird with Enigmail, one of the only truly secure methods to encrypt email. If you don't like Thunderbird, but run Firefox, then get the FireGPG plugin.

    http://enigmail.mozdev.org/
    http://firegpg.tuxfamily.org/

    If it's not open source don't trust it!!!
    • Jomwilli, on 11/09/2007, -5/+2NO, NO, NO, NO, NO. Are you a security expert or just some moron who believes that Thunderbird is the "ONLY TRULY" secure method. You couldn't be more wrong. It is just one of many ways to secure email, not the "only truly secure method."

      Geesus.
  • mattsw84, on 11/09/2007, -0/+5(tinfoil hat on) A CIA front company setup and ran Hotmail and USA mail in the nineties and also numerous re-mailers that were popular with hackers which were used to send "secure email" Yeah they read all your business!. (tinfoil hat off).
  • FelixdaaHack, on 11/09/2007, -0/+5time to close the hushmail account...they need to move their servers to a country that doesn't cooperate with US subpoenas/court orders
  • shodanx, on 11/08/2007, -0/+3hahahah the funniest is there is a linked interview to NPR on the home page of hushmail and it reads

    Technology
    E-Mail Encryption Rare in Everyday Use

    by David Kestenbaum

    Listen Now [4 min 20 sec] add to playlist

    Morning Edition, February 22, 2006 ยท Many Americans have expressed concern over the Bush administration's eavesdropping program. But there's a simple solution for anyone concerned with prying eyes, at least when it comes to e-mail: encryption.

    BWWAHAHAHHAHAHAHA
  • LogicBomB, on 11/09/2007, -0/+4I've never needed to use encrypted email but that would really, really bug me if I did. Hell it bugs me now and I don't even need it.
  • mindcrime, on 11/09/2007, -1/+7[quote]Erm, check your laws. If they give a VALID search warrant signed by a judge, you MUST comply. If you do not the number of violations they can throw at you are insane. Not the least of which is aiding and abetting (yes, I doubt I spelled it right). That doesn't mean you should just give in when the CIA/FBI/NSA comes calling, but if they have a warrant, you have no choice.[/quote]

    Sure you do, you *always* have a choice. Some choices have potential repurcusions that make them unattractive, but please don't portray it as a case where there is no choice. You are *not* obligated to do any and every thing that The State orders you to do. And until more people wake up to that fact and start asserting their rights, The State is going to continue to encroach further and further on our inalienable liberties.
    • Uchikoma, on 11/08/2007, -2/+0So that is to say, if that officials can provide enough evidence (specific account, specific activities) to get a court order, we can say "screw off?" So say we had a person who was operating a meth lab next door and there was sufficient evidence to warrant a search, you could say, screw off?

      BS. There are things we are entitled to, but not to the point where we can do whatever the hell we want without any repercussions. I guess I can start stealing cars, and even though people knew where they were driven into, they can't get a court order, b/c I can just say "screw you".

      If you read the article, the claim was that they only disclose information if there is a court order, and it is specific. This isn't a mass grab here for information. (or in the case of the RIAA, grabbing a bunch of IP's who happen to be downloading some torrent) This is a targetted turn over of data. If this is true, I see no issue here. As long as its targetted (specific individual) and court orders are given where there is sufficient evidence to warrant such a turn over.
      • srf21c, on 11/14/2007, -0/+3Whether or not something is "legal" or not doesn't mean dick. Governments simply pass "laws", which are nothing more than a pack of self-serving opinions backed by guns, so that they can commit whatever crimes they want with impunity.

        The biggest threat and criminal gang around that we need protection from is the goddamn institution of government itself.
        So ***** them and their "legal court orders".
      • williamdyer, on 11/14/2007, -0/+2Uchicoma, answer me this: Does government have the legitimate power to limit the use of encryption? If so, point out the words in, for example, the U.S. Constitution that confers that power to the government.

        If not, the government can kiss my shiny encrypted ass.
        • 3Den, on 11/09/2007, -1/+0They do not.
          They can, however, issue a court order for you to provide the decryption keys necessary to provide the data, and punish for contempt of court if you refuse.

    • jdepp, on 11/09/2007, -0/+2how much would you have to get paid to do a five year stretch in jail? If I knew I'd get $10 million when I walked out, perhaps. But a year's subscription to Hushmail is not enough to make it worth the sysadmin doing jail time.
  • petejonesrn, on 11/09/2007, -3/+1This brings the lolz. I used to use HushMail for porn before I was 18, still in high school. That was nearly a decade ago. Ha.
  • saintdesy, on 11/08/2007, -0/+2Can the Feds go after the hush.ai stuff? The servers are located in the Anguilla Islands...
    • srf21c, on 11/08/2007, -0/+2I've used an @hush.ai email address for years now, and as far as I can tell all access to my account is via the servers in Vancouver, BC.
  • inajeep, on 11/08/2007, -0/+2I had an account w/ them a long long time ago and never used it. No one in my family or friends has need of an encrypted mail system. It sounds like the Java version would still make it safe though. Unless they have a back door key.

    How do you search an encrypted mail system?
  • khyberkitsune, on 11/09/2007, -0/+4Well well, looks like the submitter knows nothing about encryption laws.

    Most nations require you to release the encryption keys to the government before they okay the use of your protocol. So any government agent can likely read hushmail.

    And this is why I run my own email server - I block all gov't IPs and all known proxies thanks to blackholes.us
    • 3Den, on 11/09/2007, -0/+0What movie did you see that in?

      Most nations let you use whatever you want... and in most places you don't need governmnet approval to use encryption... and I don't know of a single place where encryption is banned unless the government has keys.


  • Jomwilli, on 11/09/2007, -1/+4It's really easy for all of you guys to say, "Just use GPG or PGP" and problem solved.

    Nobody uses it though. I'm a Cyber Security Professional and nobody uses it except other Security guys.
    This is where it fails.
    Reply below me if you have even a free digital email certificate.
    • ScottyMcBaggs, on 11/08/2007, -0/+2I do. I have to for work. I don't you know, buy drugs through e-mail though. If I did, or was into I dunno, illegal arms dealing, people trafficking, etc I'd probably use it outside of work.
    • williamdyer, on 11/08/2007, -0/+1Excellent comment. You would think Thunderbird, at least, would have a simple encrypted email option turned on by default.
      • sancho, on 11/09/2007, -1/+3You'd think that if you have no concept of how secuirty and encryption work. There is no good solution for encrypting e-mail because key management is a pain in the ass.

        Say you turn on this "simple" feature. Then you send a message. How is the person on the other end going to decrypt it?
        • williamdyer, on 11/09/2007, -0/+2I'm aware of the key management issue. That can be solved. It should be no harder to find a mail recipient's key than it is to find a time server.
    • nanboya, on 11/08/2007, -0/+2On all accounts that I use barring gmail.
    • encognito, on 11/09/2007, -0/+3I have used Hushmail back in the day as well as PGP. Trying to convince other people to use encryption in email is a PITA. Also I am surprised you would post another message in this thread after your earlier meltdown.
    • strypersarmy, on 11/09/2007, -0/+1I use Hotmail does that count?
  • monikerd, on 11/09/2007, -0/+2yeah, this is why the smart kids use open source pgp implementations. Now don't get me wrong, police should have their digital eaves dropping. But the problem here is that only one goverment's agencies have access to it. And they probably use less strict procedures than for traditional privacy related data. Hence the smart people who protect their privacy use verifyable technology, on open systems.

    Encryption works.
    • jdepp, on 11/09/2007, -0/+1well PGP only means that the cops have to come to you with a warrant to get the key. The penalty for refusing them is pretty steep. In the UK, you can get 5 years in jail for refusing to hand over a key, and 2 years for telling anyone that you were compelled to hand over a key as part of an investigation -- you can't tip off your buddies.
      • tainc, on 11/09/2007, -0/+1But you know, I'm sure there are a good number for whom that 5-to-7 is a pittance compared to the 50-to-life they'd get for giving up the key.
    • Krhis, on 11/09/2007, -0/+1But what if the key was somehow *accidentally* destroyed before they kick down your door and present you the warrant? You wouldn't be refusing to help, and you really wouldn't have to hide anything. As long as you properly destroy the keys then go a head and tell them the password too.

      What can I say? Hard drives fail, partition tables break, and I don't keep backups. :)
      • SIRBERUS, on 11/10/2007, -0/+1lol, you're adorable.

        do gumdrop trees grow in the world you live? =P
  • strypersarmy, on 11/09/2007, -0/+1Fed fun --- use some weak encryption system then use hushmail, just make random sentences up. and watch the feds spend hours/weeks trying to figure out wtf you were doing.
    • Elrod, on 11/11/2007, -0/+3Week #1: "The ***** crows at dawn."
      Week #2: "There is a lamp in Idaho."
      Week #3: "The nurses run naked in Portsmouth General."
      Week #4: "Betty has a new stove."
      Week #5: "Getting back to the nurses, Sheila gives great bedside manner."
      Week #6: "No, really. I went in with a broken leg, and Sheila fixed me right up. Almost didn't notice the leg until I left the hospital. It was great."
      Week #7: "They're adding a new wing, so it should be even more convenient."
      Week #8:...
  • mrshiney, on 11/09/2007, -0/+0Oh noes!
  • lcarscmd, on 11/11/2007, -0/+0I have been paying for hushmail with with MS Outlook plug in for years, now I have to reconsider what we are going to do. It just goes to prove if the government want it they will get it.
  • Antexter, on 11/21/2007, -0/+1The FEDS are the least of your worries if your using it.
  • SenorGeltabz, on 05/22/2008, -0/+1F**K !!!!!! I haven't used that but that is wild.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.