Please Scroll Down to See Forums Below
napsgear
genezapharmateuticals
domestic-supply
puritysourcelabs
UGL OZ
UGFREAK
napsgeargenezapharmateuticals domestic-supplypuritysourcelabsUGL OZUGFREAK

hushmail safety??

Yes , the pgp plugin integrates nicely with Microsoft Outlook
In FSF land , you could use the evolution email client with pgp compiled in

2 ways to skin a cat

But the idea would be to handle your keys on your pc/laptop
download your mail (referred to as Popping) to your machine and then encrypt/unencrypt on your machine

digger said:
Hush is basically a Java front end for PGP -- training wheels, in other words. PGP is "Pretty Good Privacy." The guy who wrote it didn't make grandiose claims about it, but it's better than anything from WWII.

Here are a few basics -- your key, your passphrase, has got to be LONG and COMPLEX. A program can run through all the possible combinations of eight or ten letters in a few minutes. "Yo mama" is not a good passphrase, in other words. Unless you have to type for a full four seconds to enter your passphrase, you're wasting your time using PGP. All that does is call attention to your mail without really protecting it.

The feds no doubt have tricks that would make a mere mortal like me faint dead away. But the local PD? You're dealing with some guy who took a two-day forensics course at community college. He'll try a list of stupid passwords, and if you were stupid enough to use one of them, he's in; but if your passphrase is as long as it should be, then fuck, no, he's not going to break PGP. The guy who wrote PGP spent ten years fighting to stay out of jail; he didn't do that just so someone could backdoor it.

On the other hand, spammers now "own" a third of the PC's on the planet. That's because it's trivial to turn a Windows PC into the bitch of some Russian Mafia pimp. Anyone who says "I use Garbage-O and it makes Windows safe!", I call bullshit. It's got to be at least that easy for the FBI.

Also, if you only encrypt some of your email it's just like saying "Here's the good stuff! Focus on this message right here!" The Man calls that traffic analysis, but it's just a matter of figuring out "Who have you been talking to?" and then they go talk to that person. What do you get when you add one smart person and one stupid person? Two stupid people.

I know that we have a guy here who worked on the EFF's (Electronic Frontier Foundation) anonymity system, which sounds wonderful but it's run by volunteers. "Gee, what's the easiest way to get my hands on a stack of internet traffic from people who think they have something to hide?" You got it -- become one of those volunteers. Press report earlier this month, guy used his insider status to read tons of unencrypted messages that were delivered straight to the "nodes" he contributed to the project.

The people using the anonymity service didn't understand the difference between anonymity and encryption. You need BOTH.

(By the way -- the only people who have used the EFF system here have been spammers and trolls, trying to get around being banned. It doesn't even help them with that; it just makes them stick out more.)

So... follow GJ's suggestion and learn how to use PGP without the training wheels.

Ditch Windows. Get a Linux "live CD." You have to keep records? Don't save anything to your hard drive. Save stuff to a thumbdrive and encrypt the hell out of it -- PGP can do that once you learn how to use it.

Hushmail is a hell of a lot better than nothing, and the people talking it down are mostly blowing smoke; it's just not the whole solution.
Click to expand...
 
digger said:
I know that we have a guy here who worked on the EFF's (Electronic Frontier Foundation) anonymity system, which sounds wonderful but it's run by volunteers. "Gee, what's the easiest way to get my hands on a stack of internet traffic from people who think they have something to hide?" You got it -- become one of those volunteers. Press report earlier this month, guy used his insider status to read tons of unencrypted messages that were delivered straight to the "nodes" he contributed to the project.

The people using the anonymity service didn't understand the difference between anonymity and encryption. You need BOTH.
Click to expand...


If the feds want to run a node on T.OR they are more than welcome too do so. It was designed with this possibility in mind, it only provides anonimity for the transport and the shielding of the actual client. I invite the feds to run as many nodes as they want, including exit nodes. Being a node or many nodes won't give you enough information - you only know the IP of the previous and next hop - not the contents of the communication nor the orginal source or the final destination.

It is encrypted by the way, from the client all the way to the exit node.
 
Hushmail is still safe to use. Although I'd suggest using Open PGP at your desktop, if you are so technically inclined. There is still a way Law Enforcement will own you though read on...

Note that Hushmail must and will submit to subpoenas, but they don't have the ability to decrypt your mail (message bodies & attachments) so their response will include all your mail headers (To/From, Date/Time, Subject, IP Addy, Etc) in clear then an PGP encrypted mail body. At no time does Hushmail receive your passphrase.

If the feds are able to unencrypt, they will - but it is very doubtfull that such resources are brought to bear for a law enforcement issue over drugs. Typically such resources are found in the intelligence community - specifically the NSA and other federal agencies draw upon that pool - but it is highly unlikely the NSA would devote resources to such trival matters.

If you're getting owned by law enforcement on your encrypted mail, they have most likely owned your computer - so in that case, nothing will save you - you need to be more dillegent.

Here is a recent bust by the DEA over MDMA - they installed a keylogger to capture passphrases for a hushmail account:

http://www.news.com/8301-10784_3-9741357-7.html?part=rss&subj=news&tag=2547-1001_3-0-5

So if hushmail can provide clear text emails on administrative subpeonas - there is no way they'd bother to suripticiously install keyloggers. But that keylogger mentioned in the above article would own your ass no matter what you were doing to encrypt your communications.
 
LAN T said:
With a warrant they can, but not without one. This is still the USA.
Click to expand...



Administrative Subpeonas don't even require a judge to sign off on them. That's how the information was obtained.
 
even assuming no backdoor to the version of PGP that Hush is using (more on that below) a weak link is their use of the java front end to perform the encryption. Java has direct access to your machine's IP and bypasses any proxy settings and ( so far) any anonymizer software. and Hush then logs your actual IP linking you to your accouint and emails.

They indicate on their site you now have a No-java option, but I cant find it (unless you just turn off java in your browser settings and hush then figures out what to do from there). With this option, you'd be vulnerable to a man-in-the-middle attack or data sniffing (since the email isnt encrypted until it gets to the Hush servers) but you'd have to already be the subject of an investigation for that to be an issue in which case ur fucked anyway.
 
Mavafanculo said:
even assuming no backdoor to the version of PGP that Hush is using (more on that below) a weak link is their use of the java front end to perform the encryption. Java has direct access to your machine's IP and bypasses any proxy settings and ( so far) any anonymizer software. and Hush then logs that IP linking you to your accouint and emails.

They indicate on their site you now have a No-java option, but I cant find it (unless you just turn off java in your browser settings and hush then figures out what to do from there). With this option, you'd be vulnerable to a man-in-the-middle attack or data sniffing (since the email isnt encrypted until it gets to the Hush servers) but you'd have to already be the subject of an investigation for that to be an issue in which case ur fucked anyway.
Click to expand...


You can use POP / IMAP / SMTP with hush with a client like outlook/thunderbird that would be java free, but honestly I don't see java as an issue.

If you are trying to avoid your computer's IP being logged then you have to use a proxy and that holds true for hush or if you use your own standalone implementation of PGP. That's not specific or unique to PGP.

I am still willing to bet the DEA and other fed's prefered method of comprimise is keyloggers. With that they are going to own you unless you are using a non-stored / disposable OS like a LiveCD for your communications. Even then they could own you with a hardware keylogger, or a fucking camera looking over your shoulder for that matter.
 
jh1 said:
If the feds want to run a node on T.OR they are more than welcome too do so. It was designed with this possibility in mind, it only provides anonimity for the transport and the shielding of the actual client. I invite the feds to run as many nodes as they want, including exit nodes. Being a node or many nodes won't give you enough information - you only know the IP of the previous and next hop - not the contents of the communication nor the orginal source or the final destination.

It is encrypted by the way, from the client all the way to the exit node.
Click to expand...

128? 256? blowfish? pgp?
 
Mavafanculo said:
is there a possible backdoor to PGP?? seems to depend on the version from the reading below. is there a 3rd party independent audit of the PGP version and its implementation Hushmail is using??? probably not.

here's some interesting links

http://www.rossde.com/PGP/pgp-adk.html
PGP: Additional Decryption Key (ADK)


http://www.wilderssecurity.com/archive/index.php/t-16578.html
PGP has a backdoor in for the government?

http://seclists.org/politech/2001/Jan/0063.html
NA fesses up to backdoor?
Click to expand...


I don't think PGP is flawless, but it's highly unlikely that PGP has a backdoor built in due to the fact that the source is open.

Now there is no way to know if hush or other providers took the source put their own in, complied and use that - but they all claim they haven't.

If you wanna be safe, get open pgp verify the MD5 - compile and use yourself.
 
You must log in or register to reply here.

Similar threads

Darren330
China supplies internationally: peptides, steroids (EU, UK, Singapore, Malaysia, Thailand, Taiwan)
Replies
5
Views
212
the_alcatraz
the_alcatraz
GMAN007
Approved Log My First Cycle Tbol Dbol Log
86 87 88 89 90 91 92 93 94 95
Replies
943
Views
39K
MUSTANG_18
MUSTANG_18
R
should I run proviron here?
2 3
Replies
21
Views
2K
25homes
25homes
the.gladiator1987
Question on continuing TRT or not
2
Replies
19
Views
1K
25homes
25homes
4
FAKE Pfizer Genotropin Napsgear
2
Replies
16
Views
407
jasonhill800
jasonhill800
Top Bottom