Please Scroll Down to See Forums Below
napsgear
genezapharmateuticals
domestic-supply
puritysourcelabs
UGL OZ
UGFREAK
napsgeargenezapharmateuticals domestic-supplypuritysourcelabsUGL OZUGFREAK

How secure is @elitefitness.com e-mail?? PLease read.

Big Rick Rock

Big Rick Rock

istrator
There have been some rumors about Elitefitness.com e-mail and how "unsecure" it is. I'm posting this in an effort to dispel some of those rumors and hopefully let you guys understand how Elitefitness.com e-mail really works.


Elitefitness.com E-mail is provided by Hushmail.com, and so is the Cyber-Rights.com e-mail accounts that are so popular now. It is NOT hosted by Elitefitness.com. If you want to check on this then open you elitefitness.com e-mail box and look at the URL on your browser and it should look something like https://mailserver1.hushmail.com/hushmail.php…. Hushmail has set up an e-mail system with the colors and logo of Elitefitness.com but that is where it ends.. it is all hosted and managed by Hushmail.

In case you are wondering if hushmail it self is secure. Take a look at the hushmail.com system works (please keep in mind that this applies to elitefitness.com e-mail as well.



How Hushmail Works
Hush uses industry standard algorithms as specified by the OpenPGP standard (RFC 2240) to ensure the security, privacy and authenticity of your email. With Hushmail, users need only create and remember their own passphrases, and the secure Hushmail server does the rest. Encryption and decryption are transparent to the user, making Hushmail the most user-friendly secure mail solution available. Through the Hush Encryption Engine™, the Hush key servers take care of
Public/Private key exchange in a completely seamless fashion. When a user wishes to encrypt/decrypt data or verify/sign a signature, a connection is automatically made to a Hush Key Server to retrieve the necessary Public/Private Key. It's that simple! Only Hush's solution provides such a high level of security combined with total ease of use. The descriptions below will give you an overview of how the Hush system secures email.
Figure 1
2,048 bits of random numbers are converted into a pair of keys -- one private key and one public key. (What the public key locks, the private key unlocks, and vice-versa.) Every Hush user will have his or her unique pair of encryption keys. The user's passphrase encrypts and decrypts the user's private key so that no one but the user ever has access to it. Not even Team Hush.
Figure 2
The passphrase, combined with the AES algorithm, symmetrically encrypts the private key. A one-time message key, unique to each email that is sent, is used to encrypt and decrypt the email message itself.

figure2.gif


The message key, which is a component of the AES algorithm, encrypts the email. The recipient's public key is used to encrypt the message key.

figure3.gif


The message key is asymmetrically encrypted using the recipient's public key. Both the encrypted email and the encrypted message key are combined and sent to the recipient.
The email may only be decrypted by using the one-time message key.
The message key can only be decrypted by using the recipient's private key.
The recipient's private key can only be decrypted by entering the recipient's personal passphrase.

figure4.gif


The encrypted email and the encrypted message key are sent to the recipient. So, not only is the email securely coded before it is ever stored on a server, but the key to decode the email is also encoded. Further, the private key needed to decrypt this key is also encrypted. Only the recipient can retrieve their private key by entering their secret personal passphrase.

figure5.gif
 
Good thread and MVMAXX did a great job in putting everyones mind at rest at the height of the drama. He managed to explain how certain accounts you could not send encrypted which answered most of the uncertanties.


Wrongun!
 
bullshit it maybe...but You never know whos trying to hack into your account....I will use my elite mail {as I have for years} but will have reserves on the side.
 
Wrongun said:
Good thread and MVMAXX did a great job in putting everyones mind at rest at the height of the drama. He managed to explain how certain accounts you could not send encrypted which answered most of the uncertanties.


Wrongun!
Click to expand...
COULD YOU POST A LINK ?...I did not get to see that
 
Excellent post BRR!

In essence, we're talking about public key encryption. Just like PGP, only in this case you don't escrow your keys at all, you access them via a passphrase.


Think of A public and private key as a mathematical function.
When sending encrypted mail on the EF system it works like thus:

You use your Private Key combined with the recipient's Public Key, they combine to mathematically scramble your e-mail so that ONLY the recipient's Public Key and your Private Key can unscramble it.

The mail is stored as ciphertext, and is only decrypted when displayed by you.

EF's Mail system, when used in encryption mode, is a closed system. Meaning none of the sent e-mails leave the server, thus foiling echelon/carnivore or sniffing attempts.
 
muscleup said:
COULD YOU POST A LINK ?...I did not get to see that
Click to expand...

http://www.intense-training.com/forums/showthread.php3?s=&threadid=5897

He also kindly explained it to me and answered all my fears.
If you have ever mailed EFSam you will have noticed you could not send encrypted which suggests it may sit on the Elite server and so yes passphrase would be open and able to change (as an admin mail addy NOT private)

Wrongun!
 
I am sorry I have to say this but about 4 years ago when I was a minor I did some stupid stuff, and the secret service came knocking and they told me about how they had monitored my emails and tracked me for months and I got into some serious shit. I was using hushmail. They said they were easily able to crack my account. So I would be very careful. Never check any suspiciousemails from home.
 
dr0832 said:
I am sorry I have to say this but about 4 years ago when I was a minor I did some stupid stuff, and the secret service came knocking and they told me about how they had monitored my emails and tracked me for months and I got into some serious shit. I was using hushmail. They said they were easily able to crack my account. So I would be very careful. Never check any suspiciousemails from home.
Click to expand...


How about six months ago when a elite mods elitemail was invaded by some means hack or what ever, days before a major source got busted.
 
they only have to use algorithms to crack the password.... they already know your email address in most cases cos many of you display it... they don't need to intercept the message; they just need to get into your account....
 
Ashamed said:
they only have to use algorithms to crack the password.... they already know your email address in most cases cos many of you display it... they don't need to intercept the message; they just need to get into your account....
Click to expand...



This is true for any e-mail account not just Elitefitness or Hush
 
Big Rick Rock said:




This is true for any e-mail account not just Elitefitness or Hush
Click to expand...

mr rock just wondering something. I read where you posted that elite owns these accounts right. If elite owns the account and can change passwords can they read the mail too?

liftsiron i remember when that happened I just stood back and watched. I can remember back to when that kid died here at elite as well over dnp. I think the same thing happened then. weird shit
 
don't use elite branded hush email?

only use cyber rights or hushmail = less conspicuous?

don't choose a simple password
 
youbastig said:


mr rock just wondering something. I read where you posted that elite owns these accounts right. If elite owns the account and can change passwords can they read the mail too?

liftsiron i remember when that happened I just stood back and watched. I can remember back to when that kid died here at elite as well over dnp. I think the same thing happened then. weird shit
Click to expand...


The password feature is meant to give a person back their account if they ever forget heir password.
The old hushmail system(back in 2000) did not have this feature, so if you forgot your password then you where fucked.

I know guys that went from say "[email protected]" to "[email protected]" some to even "[email protected]" this is because once they lost their Password Hushmail had no way of getting it back or supporting them.... in the newer version Hushmail changed that, now they can change your password and give you back your account .... HOWEVER by creating a new password it also changes your key, therefore it is impossible to open the old e-mails with the new key... they also basicaly just "reset" your account wich means it is wiped clean and you get it back yeah, but just empty.

the truth is that NO e-mail account on the net is completly safe... as has been stated before if the FEDs really want you they can plant software on your PC that will "record" your password when you enter it and then send that info to the FEDs...
 
One caveat for Hushmail /elitefitness mail (or really any system);

IT IS ONLY AS GOOD AS YOUR PASSPHRASE. If your password for elitefitness mail is 'elite,' 'elite1' etc, you're an idiot and you deserve having your mail read.

Good passphrases require planning and thought if you really are after security. That's right, a PASSPHRASE, not PASSWORD.

Read, understand, and USE the information here on creating good passwords:
http://world.std.com/~reinhold/diceware.html

I am a Hushmail subscriber, but have also subscribed to Cryptoheaven. Cryptoheaven is MUCH faster, and I have not had any mail lost by their systems (unlike Hushmail). Hushmail does seem to have improved a bit lately.
 
Wrongun said:


http://www.intense-training.com/forums/showthread.php3?s=&threadid=5897

He also kindly explained it to me and answered all my fears.
If you have ever mailed EFSam you will have noticed you could not send encrypted which suggests it may sit on the Elite server and so yes passphrase would be open and able to change (as an admin mail addy NOT private)

Wrongun!
Click to expand...



Thanks bro. For anyone that wants to see the link it's posted here. I also addressed numerous questions on this thread.

http://www.steroidology.com/forum/showthread.php?threadid=20572

Now don't go bitching to me that you have to register. If you don't want to register then don't click on the link.

If any of you guys have questions feel free to post on that thread and I'll answer them.
 
Big Rick Rock said:



The password feature is meant to give a person back their account if they ever forget heir password.
The old hushmail system(back in 2000) did not have this feature, so if you forgot your password then you where fucked.

I know guys that went from say "[email protected]" to "[email protected]" some to even "[email protected]" this is because once they lost their Password Hushmail had no way of getting it back or supporting them.... in the newer version Hushmail changed that, now they can change your password and give you back your account .... HOWEVER by creating a new password it also changes your key, therefore it is impossible to open the old e-mails with the new key... they also basicaly just "reset" your account wich means it is wiped clean and you get it back yeah, but just empty.

the truth is that NO e-mail account on the net is completly safe... as has been stated before if the FEDs really want you they can plant software on your PC that will "record" your password when you enter it and then send that info to the FEDs...
Click to expand...

actually the question I had asked you was that if elite could change someones password on an email account and then read the emails. Thanks
 
Did EF have a hand in the customization of the applet that get's d/l each time from hush or did EF just provide branding to Hush that they pasted into the interface?
 
This speculation about them being able to 'crack' your password... is complete non-sense. Here is why: for any lawenforcement to read your email they need a warrant.... if they get a warrant why would they bother to 'crack' your password.

The warrant would be served to Hushmail or other vendor and Hushmail would hand over the keys. Simple as that. A supenoa works wonders to read mail.. no need for your passphrase.

If they are out 'cracking' passwords then they don't have a warrant which means they are breaking the law to begin with.
 
thx9000 -- Look at your browser while you're downloading the applet. It comes direct from hushmail, not from EF. George is cool but if he could break PGP, he'd be collecting the Nobel prize in math, not Plat memberships.

jh1 -- the whole point of putting the applet on your machine is that the secret key is generated on your PC and is encrypted there with your passphrase. It shouldn't go anywhere. If you lose your passphrase, that's all she wrote, for that key and all the old mail that was encrypted with it. All Hushmail can do is invalidate that key and let you start over from scratch. They can't "hand over your keys" because they don't have them. (But if your passphrase is "1234" don't come crying to hush or EF about it. 'Kay?)
 
digger said:
thx9000 -- Look at your browser while you're downloading the applet. It comes direct from hushmail, not from EF. George is cool but if he could break PGP, he'd be collecting the Nobel prize in math, not Plat memberships.

jh1 -- the whole point of putting the applet on your machine is that the secret key is generated on your PC and is encrypted there with your passphrase. It shouldn't go anywhere. If you lose your passphrase, that's all she wrote, for that key and all the old mail that was encrypted with it. All Hushmail can do is invalidate that key and let you start over from scratch. They can't "hand over your keys" because they don't have them. (But if your passphrase is "1234" don't come crying to hush or EF about it. 'Kay?)
Click to expand...

Sensible comments IMHO

Wrongun!
 
digger said:
thx9000 -- Look at your browser while you're downloading the applet. It comes direct from hushmail, not from EF. George is cool but if he could break PGP, he'd be collecting the Nobel prize in math, not Plat memberships.
Click to expand...

lol I did, and I understand the math/concepts involved or at least I did back in grad school. I even checked the cert to verify that the applet is signed by Hush and is indeed coming from one of their servers. That wasn't my point though...
 
yes.. but you can log into hush, or cyberrights from anywhere... it just requires downloading another applet... you are still only as secure as your password/passphrase.. a password is the weakest link...
 
I even checked the cert to verify that the applet is signed by Hush and is indeed coming from one of their servers. That wasn't my point though...
Click to expand...

Understood. Hush put the EF logo on their product. If you speak DNS, look at the MX for 'elitefitness.com' and you'll see that ALL elitefitness.com mail goes directly to hushmail's server, not ours. (Makes my life more complicated, in fact....) If you don't trust Elite Fitness mail, you don't trust Hushmail. It's just that simple.

By the way -- I'm not an EF employee. I work at EF's ISP, and George is one of our more demanding customers. He's the most customer-oriented guy I've ever met, and he takes any problem with this site personally.
 
digger said:


Understood. Hush put the EF logo on their product. If you speak DNS, look at the MX for 'elitefitness.com' and you'll see that ALL elitefitness.com mail goes directly to hushmail's server, not ours. (Makes my life more complicated, in fact....) If you don't trust Elite Fitness mail, you don't trust Hushmail. It's just that simple.

By the way -- I'm not an EF employee. I work at EF's ISP, and George is one of our more demanding customers. He's the most customer-oriented guy I've ever met, and he takes any problem with this site personally.
Click to expand...

I know I am connecting to Hush, I know the MX record points to Hush, and I know that I no applet loads prior to me connection to Hush.

I was just going after the most paranoid scenario I could think of. That involves George learning Java, modifying Hush's applet to send our PW's or decrypted mail (after our login at hush) to some FBI.elitefitness.com server. Then he sends his doctored applet to Hush and asks then to use on mailserver1 for all EF customers.

That's kinda ridiculus though. Hush isn't going to enter into and SLA with someone that provides THEM modified code. Well at least I wouldn't. Furthermore, Hush probably wouldn't allow their reputation for secure communication to be risked this way even if they were open to the idea of allowing customers to modify their applet.

We've had customers ask us to simply allow them to do the branding changes to products they were reselling. Our answer was an adamant no, I am sure Hush looks at it the same way.
 
thx9000 said:


I know I am connecting to Hush, I know the MX record points to Hush, and I know that I no applet loads prior to me connection to Hush.

I was just going after the most paranoid scenario I could think of. That involves George learning Java, modifying Hush's applet to send our PW's or decrypted mail (after our login at hush) to some FBI.elitefitness.com server. Then he sends his doctored applet to Hush and asks then to use on mailserver1 for all EF customers.

That's kinda ridiculus though. Hush isn't going to enter into and SLA with someone that provides THEM modified code. Well at least I wouldn't. Furthermore, Hush probably wouldn't allow their reputation for secure communication to be risked this way even if they were open to the idea of allowing customers to modify their applet.

We've had customers ask us to simply allow them to do the branding changes to products they were reselling. Our answer was an adamant no, I am sure Hush looks at it the same way.
Click to expand...

You answered your own question.
 
mailvault is one of the most secure services out there. I have a friend thats a computer nerd, bigtime hacker that did a comparison of like 20 different services. Big brother may be able to crack your shit but local pigs are not gonna be able to do anything. The safest thing to do is not to use your own computer for anything sketchy. I no longer use any of this shit because I am done having to live a life of paranoia but none the less its good to know about this stuff.
 
This is simple. If you don't want someone reading your email don't send it. The gov can decrypt just about anything. Short of having your own cryptology group and unlimited money we can be hacked at anytime by the feds. Right now though, lets hope they have bigger fish to fry than us.
 
jh1 said:
This speculation about them being able to 'crack' your password... is complete non-sense. Here is why: for any lawenforcement to read your email they need a warrant.... if they get a warrant why would they bother to 'crack' your password.

The warrant would be served to Hushmail or other vendor and Hushmail would hand over the keys. Simple as that. A supenoa works wonders to read mail.. no need for your passphrase.

If they are out 'cracking' passwords then they don't have a warrant which means they are breaking the law to begin with.
Click to expand...

Good points, but please remember, the EliteFitness.com and Hush mail servers are not located in the good ol US of A.
 
dr0832 said:
I am sorry I have to say this but about 4 years ago when I was a minor I did some stupid stuff, and the secret service came knocking and they told me about how they had monitored my emails and tracked me for months and I got into some serious shit. I was using hushmail. They said they were easily able to crack my account. So I would be very careful. Never check any suspiciousemails from home.
Click to expand...

If made by man it can be destroy by man :11shot:
You need something that god sent:angel:
 
Last edited:
You must log in or register to reply here.

Similar threads

~Vision~
PSL Article If you are NOT receiving emails or updates about your orders PLEASE READ!
Replies
0
Views
583
~Vision~
~Vision~
~Vision~
PuritySourceLabs If you are NOT receiving emails or updates about your orders PLEASE READ!
Replies
15
Views
3K
RoySimpson
RoySimpson
~Vision~
PuritySourceLabs Let us PROVE it....Blood work incentives and how to take bloods! Only at PSL
Replies
14
Views
4K
PhillDragon
PhillDragon
Macedog24
All customers please read regarding your email provider! MUST READ
Replies
5
Views
2K
~Vision~
~Vision~
Macedog24
**Important info about payment options** PLEASE READ
Replies
3
Views
1K
MasonicBodybuilder
MasonicBodybuilder
Top Bottom