Please Scroll Down to See Forums Below
hushmail safety??
- Thread starter Svengali
- Start date
sweatandscience
New member
The Feds and even some local/state agencies have access to those accounts. There are other means of secure communications via secure encryption methods. A little googling will get you up to speed and informed on alternatives.
needtogetarmy
CEO of Project Mayhem
Encrypted E-mail is in no way safe. The feds can get a tap into that quicker than shit.
sincere81oo0
New member
The Old Vet said:
really?? i thought the best they could do was get your ip from the mail but couldnt un-encrypte it????? explain
MichaelScott
New member
im sure the govt can encrypt any thing they want to
worldclass
Banned
Secure mail is only secure from hackers and private individuals looking to steal your identity, not the government. The DEA can ask for copies of your email from the "secure mail" providers and they will get it.
I read a DEA report recently where they stated it was very difficult to get any real data from Hushmail accounts because they wipe the originating IP before sending the message and replace it with the server IP which is located in Ireland (which I did not know). So I think these encrypted accounts might be reasonably safe. I am sure the govt. if need be could unencrypt these e-mails but I doubt there going to go to that length somehow. Also with the servers being located offshore does make them have to go through more hurdles to get any information they want.
holy ghost
New member
THEY CAN SUBPENA ANYTHING
any document or anything
i fought the law,
and the law won.
any document or anything
i fought the law,
and the law won.
From hushmail's website:
What if Hush receives a court order to release the contents of my account?
Hush Communications maintains its servers in British Columbia, Canada. Hush Communications complies fully with valid court orders issued by the courts of British Columbia, Canada. In order to ensure consistent treatment of all users, Hush Communications does not accept court orders from other jurisdictions. However, law enforcement agencies from other jurisdictions may pursue action through international channels compliant with the laws of British Columbia and Canada, resulting in a court order being issued by a court of British Columbia.
What if Hush receives a court order to release the contents of my account?
Hush Communications maintains its servers in British Columbia, Canada. Hush Communications complies fully with valid court orders issued by the courts of British Columbia, Canada. In order to ensure consistent treatment of all users, Hush Communications does not accept court orders from other jurisdictions. However, law enforcement agencies from other jurisdictions may pursue action through international channels compliant with the laws of British Columbia and Canada, resulting in a court order being issued by a court of British Columbia.
Just to follow up this is on site also:
Does Hush/Cyber-Rights.Net have a "back door" that can be accessed by government agencies?
Email, which includes attachments, sent between Hush users is completely encrypted.
What if my message is subpoenaed?
Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email.
Does Hush/Cyber-Rights.Net have a "back door" that can be accessed by government agencies?
Email, which includes attachments, sent between Hush users is completely encrypted.
What if my message is subpoenaed?
Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email.
gymratforlife
Banned
Quit assuming shit people no one is getting into hush accounts that easy if they could then every one would keep using yahoo.
enacer420nj
Well-known member
slat1 said:
were they talking specifically about the lab that was busted? Im sure the guy would give up his hush password if he thought it was going to help him.
gjohnson5
New member
Ireland huh??
That beyond US juridiction but they still can cooperate.
do you know if they keep a copy of encrypted communications?
If not , then simply POP your email and use PGP http://www.pgp.com/ to unencrypt to keep them out of your mailbox . Put your hushmail keys in your pgp keyring and that should do it
That beyond US juridiction but they still can cooperate.
do you know if they keep a copy of encrypted communications?
If not , then simply POP your email and use PGP http://www.pgp.com/ to unencrypt to keep them out of your mailbox . Put your hushmail keys in your pgp keyring and that should do it
Access said:
perryscoon
New member
All the emails in the world don't prove a thing until they find gear.
Think about this guys.
You walk up to a cop on the corner and say, "I have a huge bag of cocaine at my house." The cop will either think you're a loon and tell you to away, or he'll arrest you and go get a warrant to search your house. Say he gets a warrant and searches your house and finds nothing. What charges could they possibly file? Pretending to possess coke? lol
But this of course is rediculous because rappers say they have killed people, dealy drugs, pimped hoes, stolen cars, etc. in their songs all the time and you don't see the feds running to arrest them for saying things like that do you?
I think that at best, they could try to give you an "attempting to purchase anabolic steroids" charge if all they could find was emails. And even then, they would have to prove that YOU wrote the emails, which is impossible.
Think about this guys.
You walk up to a cop on the corner and say, "I have a huge bag of cocaine at my house." The cop will either think you're a loon and tell you to away, or he'll arrest you and go get a warrant to search your house. Say he gets a warrant and searches your house and finds nothing. What charges could they possibly file? Pretending to possess coke? lol
But this of course is rediculous because rappers say they have killed people, dealy drugs, pimped hoes, stolen cars, etc. in their songs all the time and you don't see the feds running to arrest them for saying things like that do you?
I think that at best, they could try to give you an "attempting to purchase anabolic steroids" charge if all they could find was emails. And even then, they would have to prove that YOU wrote the emails, which is impossible.
Hush is basically a Java front end for PGP -- training wheels, in other words. PGP is "Pretty Good Privacy." The guy who wrote it didn't make grandiose claims about it, but it's better than anything from WWII.
Here are a few basics -- your key, your passphrase, has got to be LONG and COMPLEX. A program can run through all the possible combinations of eight or ten letters in a few minutes. "Yo mama" is not a good passphrase, in other words. Unless you have to type for a full four seconds to enter your passphrase, you're wasting your time using PGP. All that does is call attention to your mail without really protecting it.
The feds no doubt have tricks that would make a mere mortal like me faint dead away. But the local PD? You're dealing with some guy who took a two-day forensics course at community college. He'll try a list of stupid passwords, and if you were stupid enough to use one of them, he's in; but if your passphrase is as long as it should be, then fuck, no, he's not going to break PGP. The guy who wrote PGP spent ten years fighting to stay out of jail; he didn't do that just so someone could backdoor it.
On the other hand, spammers now "own" a third of the PC's on the planet. That's because it's trivial to turn a Windows PC into the bitch of some Russian Mafia pimp. Anyone who says "I use Garbage-O and it makes Windows safe!", I call bullshit. It's got to be at least that easy for the FBI.
Also, if you only encrypt some of your email it's just like saying "Here's the good stuff! Focus on this message right here!" The Man calls that traffic analysis, but it's just a matter of figuring out "Who have you been talking to?" and then they go talk to that person. What do you get when you add one smart person and one stupid person? Two stupid people.
I know that we have a guy here who worked on the EFF's (Electronic Frontier Foundation) anonymity system, which sounds wonderful but it's run by volunteers. "Gee, what's the easiest way to get my hands on a stack of internet traffic from people who think they have something to hide?" You got it -- become one of those volunteers. Press report earlier this month, guy used his insider status to read tons of unencrypted messages that were delivered straight to the "nodes" he contributed to the project.
The people using the anonymity service didn't understand the difference between anonymity and encryption. You need BOTH.
(By the way -- the only people who have used the EFF system here have been spammers and trolls, trying to get around being banned. It doesn't even help them with that; it just makes them stick out more.)
So... follow GJ's suggestion and learn how to use PGP without the training wheels.
Ditch Windows. Get a Linux "live CD." You have to keep records? Don't save anything to your hard drive. Save stuff to a thumbdrive and encrypt the hell out of it -- PGP can do that once you learn how to use it.
Hushmail is a hell of a lot better than nothing, and the people talking it down are mostly blowing smoke; it's just not the whole solution.
Here are a few basics -- your key, your passphrase, has got to be LONG and COMPLEX. A program can run through all the possible combinations of eight or ten letters in a few minutes. "Yo mama" is not a good passphrase, in other words. Unless you have to type for a full four seconds to enter your passphrase, you're wasting your time using PGP. All that does is call attention to your mail without really protecting it.
The feds no doubt have tricks that would make a mere mortal like me faint dead away. But the local PD? You're dealing with some guy who took a two-day forensics course at community college. He'll try a list of stupid passwords, and if you were stupid enough to use one of them, he's in; but if your passphrase is as long as it should be, then fuck, no, he's not going to break PGP. The guy who wrote PGP spent ten years fighting to stay out of jail; he didn't do that just so someone could backdoor it.
On the other hand, spammers now "own" a third of the PC's on the planet. That's because it's trivial to turn a Windows PC into the bitch of some Russian Mafia pimp. Anyone who says "I use Garbage-O and it makes Windows safe!", I call bullshit. It's got to be at least that easy for the FBI.
Also, if you only encrypt some of your email it's just like saying "Here's the good stuff! Focus on this message right here!" The Man calls that traffic analysis, but it's just a matter of figuring out "Who have you been talking to?" and then they go talk to that person. What do you get when you add one smart person and one stupid person? Two stupid people.
I know that we have a guy here who worked on the EFF's (Electronic Frontier Foundation) anonymity system, which sounds wonderful but it's run by volunteers. "Gee, what's the easiest way to get my hands on a stack of internet traffic from people who think they have something to hide?" You got it -- become one of those volunteers. Press report earlier this month, guy used his insider status to read tons of unencrypted messages that were delivered straight to the "nodes" he contributed to the project.
The people using the anonymity service didn't understand the difference between anonymity and encryption. You need BOTH.
(By the way -- the only people who have used the EFF system here have been spammers and trolls, trying to get around being banned. It doesn't even help them with that; it just makes them stick out more.)
So... follow GJ's suggestion and learn how to use PGP without the training wheels.
Ditch Windows. Get a Linux "live CD." You have to keep records? Don't save anything to your hard drive. Save stuff to a thumbdrive and encrypt the hell out of it -- PGP can do that once you learn how to use it.
Hushmail is a hell of a lot better than nothing, and the people talking it down are mostly blowing smoke; it's just not the whole solution.
From anonymousspeech.com email web site.
http://www.anonymousspeech.com/anonymous_email_facts_legal.aspx
http://www.anonymousspeech.com/anonymous_email_facts_legal.aspx
gjohnson5
New member
Yes , the pgp plugin integrates nicely with Microsoft Outlook
In FSF land , you could use the evolution email client with pgp compiled in
2 ways to skin a cat
But the idea would be to handle your keys on your pc/laptop
download your mail (referred to as Popping) to your machine and then encrypt/unencrypt on your machine
In FSF land , you could use the evolution email client with pgp compiled in
2 ways to skin a cat
But the idea would be to handle your keys on your pc/laptop
download your mail (referred to as Popping) to your machine and then encrypt/unencrypt on your machine
digger said:
jh1
New member
digger said:
If the feds want to run a node on T.OR they are more than welcome too do so. It was designed with this possibility in mind, it only provides anonimity for the transport and the shielding of the actual client. I invite the feds to run as many nodes as they want, including exit nodes. Being a node or many nodes won't give you enough information - you only know the IP of the previous and next hop - not the contents of the communication nor the orginal source or the final destination.
It is encrypted by the way, from the client all the way to the exit node.
jh1
New member
Hushmail is still safe to use. Although I'd suggest using Open PGP at your desktop, if you are so technically inclined. There is still a way Law Enforcement will own you though read on...
Note that Hushmail must and will submit to subpoenas, but they don't have the ability to decrypt your mail (message bodies & attachments) so their response will include all your mail headers (To/From, Date/Time, Subject, IP Addy, Etc) in clear then an PGP encrypted mail body. At no time does Hushmail receive your passphrase.
If the feds are able to unencrypt, they will - but it is very doubtfull that such resources are brought to bear for a law enforcement issue over drugs. Typically such resources are found in the intelligence community - specifically the NSA and other federal agencies draw upon that pool - but it is highly unlikely the NSA would devote resources to such trival matters.
If you're getting owned by law enforcement on your encrypted mail, they have most likely owned your computer - so in that case, nothing will save you - you need to be more dillegent.
Here is a recent bust by the DEA over MDMA - they installed a keylogger to capture passphrases for a hushmail account:
http://www.news.com/8301-10784_3-9741357-7.html?part=rss&subj=news&tag=2547-1001_3-0-5
So if hushmail can provide clear text emails on administrative subpeonas - there is no way they'd bother to suripticiously install keyloggers. But that keylogger mentioned in the above article would own your ass no matter what you were doing to encrypt your communications.
Note that Hushmail must and will submit to subpoenas, but they don't have the ability to decrypt your mail (message bodies & attachments) so their response will include all your mail headers (To/From, Date/Time, Subject, IP Addy, Etc) in clear then an PGP encrypted mail body. At no time does Hushmail receive your passphrase.
If the feds are able to unencrypt, they will - but it is very doubtfull that such resources are brought to bear for a law enforcement issue over drugs. Typically such resources are found in the intelligence community - specifically the NSA and other federal agencies draw upon that pool - but it is highly unlikely the NSA would devote resources to such trival matters.
If you're getting owned by law enforcement on your encrypted mail, they have most likely owned your computer - so in that case, nothing will save you - you need to be more dillegent.
Here is a recent bust by the DEA over MDMA - they installed a keylogger to capture passphrases for a hushmail account:
http://www.news.com/8301-10784_3-9741357-7.html?part=rss&subj=news&tag=2547-1001_3-0-5
So if hushmail can provide clear text emails on administrative subpeonas - there is no way they'd bother to suripticiously install keyloggers. But that keylogger mentioned in the above article would own your ass no matter what you were doing to encrypt your communications.
Mavafanculo
New member
even assuming no backdoor to the version of PGP that Hush is using (more on that below) a weak link is their use of the java front end to perform the encryption. Java has direct access to your machine's IP and bypasses any proxy settings and ( so far) any anonymizer software. and Hush then logs your actual IP linking you to your accouint and emails.
They indicate on their site you now have a No-java option, but I cant find it (unless you just turn off java in your browser settings and hush then figures out what to do from there). With this option, you'd be vulnerable to a man-in-the-middle attack or data sniffing (since the email isnt encrypted until it gets to the Hush servers) but you'd have to already be the subject of an investigation for that to be an issue in which case ur fucked anyway.
They indicate on their site you now have a No-java option, but I cant find it (unless you just turn off java in your browser settings and hush then figures out what to do from there). With this option, you'd be vulnerable to a man-in-the-middle attack or data sniffing (since the email isnt encrypted until it gets to the Hush servers) but you'd have to already be the subject of an investigation for that to be an issue in which case ur fucked anyway.
Mavafanculo
New member
is there a possible backdoor to PGP?? seems to depend on the version from the reading below. is there a 3rd party independent audit of the PGP version and its implementation Hushmail is using??? probably not.
here's some interesting links
http://www.rossde.com/PGP/pgp-adk.html
PGP: Additional Decryption Key (ADK)
http://www.wilderssecurity.com/archive/index.php/t-16578.html
PGP has a backdoor in for the government?
http://seclists.org/politech/2001/Jan/0063.html
NA fesses up to backdoor?
here's some interesting links
http://www.rossde.com/PGP/pgp-adk.html
PGP: Additional Decryption Key (ADK)
http://www.wilderssecurity.com/archive/index.php/t-16578.html
PGP has a backdoor in for the government?
http://seclists.org/politech/2001/Jan/0063.html
NA fesses up to backdoor?
jh1
New member
Mavafanculo said:
You can use POP / IMAP / SMTP with hush with a client like outlook/thunderbird that would be java free, but honestly I don't see java as an issue.
If you are trying to avoid your computer's IP being logged then you have to use a proxy and that holds true for hush or if you use your own standalone implementation of PGP. That's not specific or unique to PGP.
I am still willing to bet the DEA and other fed's prefered method of comprimise is keyloggers. With that they are going to own you unless you are using a non-stored / disposable OS like a LiveCD for your communications. Even then they could own you with a hardware keylogger, or a fucking camera looking over your shoulder for that matter.
Mavafanculo
New member
jh1 said:
128? 256? blowfish? pgp?
jh1
New member
Mavafanculo said:
I don't think PGP is flawless, but it's highly unlikely that PGP has a backdoor built in due to the fact that the source is open.
Now there is no way to know if hush or other providers took the source put their own in, complied and use that - but they all claim they haven't.
If you wanna be safe, get open pgp verify the MD5 - compile and use yourself.
Mavafanculo
New member
jh1 said:
re IP anonymity, the web browser use of java by Hush is the prob, not PGP (assumming no backdoor) . even if you use proxy software Hushs Java applet ignores the settings and passses your actual IP to hush -
so either use a non-java web version or other non java implementation like you described
jh1
New member
Mavafanculo said:
128 bit AES, but it's not really important. The reason it's encrypted is to keeps snoops from analysising the traffic and using statiscal anaylsis to determine users of the network.
Remeber that at the exit node the communications go unencrypted - we provide anonymitity - we aren't there to protect the data, just it's source. Any encryption is simply to provide a very difficult to trace communication channel - for anonimity.
If you use T.OR and go post on EF under the name 'James Hulton' and that's ur name - ur fucked. We can't save you from that.
jh1
New member
Mavafanculo said:
I don't know if that's the case or not, but regardless - most peoples local machine IP's don't reveal much as they are private IPs that are NAT'd at a gateway somewhere.
For example, my IP right now is 10.0.0.100. Come find me.
As far Java Applets and anonimity - there are ways to address that as well - through sandboxing java / entire browser environments - or even entire OS virtual machines.
Mavafanculo
New member
jh1 said:
i misspoke - the local machines IP if not behind a router, or the router IP assuming a simple home network - thats enough to go to your isp and get subscriber info.
I dont know what would be the case in a complex corporate net gateway setup
Trendsetter21
New member
Mavafanculo said:
Like already stated there is no secure email. If persay you were looking to do this stuff an have minimal chance to get caught this is what you do. (This guy at the gym told me about his routine when he was trying to get me to order stuff, but I won't take steroids illegally, I will do HRT next year though)
1. Get a cheap laptop from someone in the paper or whatever. They won't know ur name or anything.
2. Make sure it has a wireless card, then be sure to drive around until you can find a connection.
3. Place your order and only use that computer and different connections in different locations when you want to check those emails lol.
4. Do not leave the computer at your house obviously, if you can leave it with a trusted person that you don't call with your landline or cell phone. This makes it almost impossible to tie orders to you because they can't find the computer you did stuff with. Even if they use the dealer's how are they going to prove it actually is you if its not your ip address and there is no hard evidence tying you to it.
5. Western union money with fake names and addresses and stuff obviously
The only trace to you is obviously the substance but if you dont' have it at your place either theres really nothing tying you to anything. It really isn't that easy to get a warrant and borrowing other peoples internet with a computer that you don't have at your residence will make it impossible to tie stuff to you. It sounds pretty secure, any other ideas? His idea seems very good, and anyone that is too lazy to go the extra 100 miles should also remember the consequences that can happen. All I know is if I was doing this stuff. I would make sure I had every i dotted and t crossed lol.
Ralph_Wiggum
New member
Trendsetter21 said:
And friends ask me why I secured my wireless network with a 17 character non-dictionary WPA2 AES passphrase w/ remote and http administration on the router disabled. Not like a residential area would be a target for juicers trying to find a network, but still, illegal activity under the cloak of a different network is a tempting reason for a person to steal wifi.
addition: One thing to note about encryption. If your traffic is sniffed/logged, then you better hope the encryption key is strong b/c they have simple tools (Cain and Abel comes to mind) that are made for cracking encrypted data. The longer and more complex the password (non-dictionary is a must), the longer it would take an algorithm to crack it. Sign up for a hotmail account and they will rate your password for you using their arbitrary criteria for password strength.
Trendsetter21
New member
jh1 said:
LOL @ Fake Addresses......
Yeah I see a huge fatal error in your plan.
I'm pretty sure from what I've seen posted you never put your real address on western union forms, when you send the western union number thats when you are supposed to give shipping addresses. At least that would make sense, like I stated I've never done this.
Trendsetter21
New member
jh1 said:
If you guys read what I wrote, I've never done this and this guy at the gym was telling me what he does. I thought it was interesting so I posted it. I can't really answer any questions you have. As a tech guy I understand what he was saying. If you create an email account with a fake name and address to order the stuff. Then use fake name an address on WU form how could it be traced to you. When you send the WU information thats when you send real shipping address. Thats what I was told. Just posting it as a means of how to minimize getting caught. Personally I say go to a HRT place and pay for it legally.
muffinmaker
Banned
Fraud is always a great charge to add onTrendsetter21 said:
sincere81oo0
New member
why are you guys freaking out still???? has anyone had aknock at there door yet?? when they start knocking on doors for personal users then worry me, but as of now there are no reports of this correct?? stop bugging out, unless your erdering a couple hundred bottles for resale or something i dont think they are going to waste there time..... personal use is like with any other drug, not sure what they can ge you on but even when people get busted with persoanl stash of drusgs they usually go to rehab..... i would really like to see how they handle personal abuse of steroids in the courtroom lmao.... think they will send bros to rehab??? lol lets see when it happens....
muffinmaker
Banned
Well the thing is, it would happen immediately, they have tons and tons of emails and info to go through.sincere81oo0 said:
Mavafanculo
New member
digger said:
no, it's not. I lapsed into Int'l Banking ass-covering mode for a second lol.
For what we're talking about here, the exposure isnt great I guess, and you'd already have to be the target of an investigation.
Last I recall to break a 128 bit it would probably take "...a large bank of supercomputers a few weeks....." or words to that effect.
I dont think the NSA will devote that to 100 dbols lol
-
jh1
New member
Mavafanculo said:
SSL also protects data in transport - not data at rest.
Which means it can afford less security due to other layers.
i.e. you'd have to be able to caputure the data real time as it travels accross networks you don't necessarily have access to. Whereas with the emails you can subpeona copies from servers where they are stored and take your jolly old time cracking away.
Fidel_Castro
New member
jh1 said:
The problem here is that people are confusing anonymity and privacy; they are two very different things. Hushmail provides privacy, but does not provide anonymity. If one is engaged in potentially illegal activities, it is necessary to be *both* anonymous and private.
PGP, as the name implies, is Pretty Good Privacy--it provides an excellent level of privacy, but in and of itself, does not provide anonymity. Anonymity is provided by anonymous remailers, of which there are currently two classes: cypherpunk and mixmaster. (There is a third class, mixminion, but it is still in an immature stage of development.)
Another specialized type of remailer is the nymserver; as its name implies, nymservers allow one to use PGP/GPG to setup a pseudonym, where one can send/receive email securely.
If one uses a chain of mixmaster remailers to setup/use a nymserver account, this effectively breaks the link between your own IP address and that of the nymserver.
The nymserver operator, even were they to be subpoenaed, would not have your IP address to give to the authorities. All that the nymserver operator has to give to the authorities are:
1) My PGP public key, and 2) my reply block.
In my case, my PGP key is 4096-bits, or twice the size of the 2048-bit keys used by Hushmail. Frankly, neither 2048 nor 4096 keys will be vulnerable any time in the near future. My reply block is a PGP-encrypted, specially-formatted text file. The reply block tells a remailer where to direct any replies that are sent to my nymserver account.
My nymserver account has been setup to send all messages to an anonymous message pool. In practice, this usually is the Usenet newsgroup alt.anonymous.messages. (This is just a high-tech version of the "dead drop" used in espionage tradecraft.)
I'll explain the rationale behind this choice a little further down.
Unlike Hushmail, the nymserver does not have my private PGP key. My private PGP key only exists on my hardware, where it was initially generated. Brute-force password attacks against my private key are not possible, since an attacker cannot get access to my private key. The fact that your private key is available to law-enforcement with Hushmail is why it is so important to use a strong passphrase on your Hushmail accounts, if you must use Hushmail.
Here's how the process works:
i) Someone sends me an email message; the nymserver takes this message and encrypts it with my public key;
ii) The nymserver takes the encrypted message, prepends the reply block to it, and forwards it to the target remailer associated with the reply block.
iii) the target remailer decrypts my reply block, and carries out the instructions found inside.
Let's assume for a moment that the nymserver operator were to be served with a warrant under MLAT and forced to hand over my PGP public key and reply block. All they would have is a public key with an address of say, [email protected] No clues to my real identity here. As for the reply block, it is encrypted to: [email protected] over in the Netherlands. So the authorities would have to get their Dutch counterparts to get a warrant and approach the remailer operator over there to decrypt the reply block.
So the replay.com operator takes the reply block from the police and decrypts it., like they asked. Here is the decrypted reply-block that the authorities get for all their time and trouble:
::
Request-Remailing-To: [email protected]
Encrypt-Key: blah_blah
Encrypt-Subject: dKBJDCd2tZqidpxiAJME9Q
##
Newsgroups: alt.anonymous.messages
Subject: I love paris in the the spring!
**
The Request-Remailing-To: line points to a mail2news gateway that posts to the Usenet group found in the Newsgroups: line, in this case alt.anonymous.messages.
The Encrypt-Key: directive tells the remailer to further encrypt the already-PGP- encrypted message with the symmetric IDEA cipher, using the string "blah_blah". The reason for this is to prevent any adversary from combing through the messages in alt.anonymous.messages looking for messages encrypted with my PGP public key.
Similarly, the Encrypt-Subject: directive, as the name implies, encrypts a hash of the message subject, thus ensuring that the Subject line showing up in alt.anonymous.messages changes constantly. This is to prevent an adversary sending say, 20 or 30 or 50 messages to my nym account and watching alt.anonymous.messages to see a spike the number of messages with a particular subject line.
In other words, these measures ensure that no attacker can determine which messages in the pool are mine by:
a) trying to see which messages are encrypted to my PGP public key; and
b) watching for messages with a particular subject line.
Now an investigator, who has obtained the decrypted reply block under warrant, _has_ sufficient information to determine which messages are mine in the anonymous message pool. Using a package like AAMfetch, they can insert the values found in the reply block and download all the traffic in the message pool associated with my nym account.
However, they still don't know who I am, or where I am located. They also still cannot read my messages, as they cannot break the PGP-encrypted messages.
In order to install a keylogger, they first have to be able to find you. The only way they could affect you without knowing who or where you are, would be to get you to carry out some action, for example, visit a trojaned web site, or trick you into installing some malware that would send your IP address, etc. to them.
For those interested in privacy, anonymity and techniques to accomplish this, I would recommend paying a visit to the Usenet newsgroup alt.privacy.anon-server. Dr. Who's FAQ is frequently posted there, and it is an excellent introduction to these subjects, particularly for Windows users. The latest version of Dr. Who's Encryption & Security FAQ (22.6.4) was posted on October 1st in alt.privacy.anon-server. The Message-ID: is: <[email protected]>. I have verified his PGP signature on this particular version. (If it has expired with your newsserver, it may still be available through Google Groups.)
Here is a link to another tutorial: http://www.iusmentis.com/technology/remailers/nym.html
Most of the information is accurate, although dated. In particular, nym.alias.net is NOT recommended any longer, as they haven't changed their public key in more than 10 years! (Nym.alias.net is/was a student project--it has been run by a succession of student admins over the years. It tends to be erratic, and heaven only knows how many copies of nym.alias.net's private key are floating around. Ten years ago it ws top-notch, today it is no longer recommended--there are other nymservers out there that are much better-administered.)
Finally, here's a link to a 96-page court document with respect to the MDMA bust and keylogger installation.
http://politechbot.com/docs/forrester.alba.dea.key.logger.070907.pdf
I could elaborate further, if anyone is interested. If anyone wants to email me, they can do so at: [email protected]. I've already uploaded the public key for this account to the hushmail key server.
Fidel Castro <[email protected]>
PGP-Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
jh1
New member
Fidel_Castro said:
Good information here.
T.OR available at the Electronic Frontier Foundation offers the layer of anonymity required that can be couple with hushmail.
This stuff has to be easy to use... at least for 'customers'....
For anyone marketing or selling... they should take things to the next level ... .IMO
Fidel_Castro
New member
Access said:
I'll have to check this one out and report back.
Let me put it this way. Maybe they can read PGP-encrypted traffic, maybe not. If they are able to, this would be of tremendous importance. They're not going to throw that advantage away; I mean they're not going to let the secret out that they can read PGP traffic just to catch a few drug dealers. If keeping the secret means that a few drug dealers get away with it, then to them it's worth the price.
That may have been true 25 years ago, it certainly isn't the case now. All these interlocking Mutual Legal Assistance Treaties (MLAT) mean that national borders are much less of an impediment now than they were in previous decades.
Fidel Castro <[email protected]>
PGP Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
Fidel_Castro
New member
partagus said:
With all due respect, what else did you expect her to say?
The NSA is a notoriously closed organization; only a short two decades ago, the government didn't even acknowledge its existence, and employees were told to say only that they "work for the government." If pressed, they were authorized to say that they "work for the Department of Defense."
The NSA is so secretive, that they do not reveal their capabilities even to other government agencies. Furthermore, there is extensive compartmentalization, even within the Agency itself. Employees operate only on a strict need-to-know basis.
You might wish to take a look at some of James Bamford's books--here is what Wikipedia has to say about him, in part:
Mr. Bamford's first book, The Puzzle Palace (1982), was the first book published about the National Security Agency (NSA). The book was researched through extensive use of the Freedom of Information Act (FOIA). As a super-secret agency, the NSA was quite concerned about their unveiling to the world and accordingly, the government acted to stop publication. He published Body of Secrets (also about the NSA, 2001),
It's been years since I've read the Puzzle Palace, I should read it again.
Fidel Castro <[email protected]>
PGP Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
Fidel_Castro
New member
Access said:
If I am not mistaken, both Hush and Cyber-Rights use the same backend technology.
The key phrase here is, "between Hush users".
Both Cyber-Rights and Hushmail suffer from the same deficiency: namely that they both violate one of the chief tenets of public key cryptosystems. The entire idea of a public key cryptosystem is to keep public and private keys separate. The idea is to never give attackers access to one's private key. Both Hushmail and Cyber-Rights do precisely that, by making both private and public keys available on their servers. The only thing that protects your private key is your passphrase, which is why Hushmail recommends that you use Diceware to create a passphrase. Arnold G. Reinhold, Diceware's author, recommends 5-6 words chosen using Diceware as a Hushmail passphrase--my own
personal preference is to double that to 10-12.
Again, all depends on the strength of your passphrase. Furthermore, you have to depend on the person you're writing to as well to have chosen a good passphrase. A couple of years back, there was an article on the Secret Service distributed key-cracking effort, which they dubbed: DNA (Distributed Networking Attack). The entire article can be read at: http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html
Here is an excerpt:
===========================================
washingtonpost.com
DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence
By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 28, 2005; 6:48 AM
For law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part.
More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes.
The wide availability of powerful encryption software has made evidence gathering a significant challenge for investigators. Criminals can use the software to scramble evidence of their activities so thoroughly that even the most powerful supercomputers in the world would never be able to break into their codes. But the U.S. Secret Service believes that combining computing power with gumshoe detective skills can help crack criminals' encrypted data caches.
Taking a cue from scientists searching for signs of extraterrestrial life and mathematicians trying to identify very large prime numbers, the agency best known for protecting presidents and other high officials is tying together its employees' desktop computers in a network designed to crack passwords that alleged criminals have used to scramble evidence of their crimes -- everything from lists of stolen credit card numbers and Social Security numbers to records of bank transfers and e-mail communications with victims and accomplices.
To date, the Secret Service has linked 4,000 of its employees' computers into the "Distributed Networking Attack" program. The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis.
"We're seeing more and more cases coming in where we have to break encryption," Lewis said. "What we're finding is that criminals who use encryption usually are higher profile and higher value targets for us because it means from an evidentiary standpoint they have more to hide."
Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.
[snip]
Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user. Most encryption programs urge users to pick strong, alphanumeric passwords, but far too often people ignore that critical piece of advice, said Bruce Schneier, an encryption expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif.
"Most people don't pick a random password even though they should, and that's why projects like this work against a lot of keys," Schneier said. "Lots of people -- even the bad guys -- are really sloppy about choosing good passwords."
Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.
In each case in which DNA is used, the Secret Service has plenty of "plaintext" or unencrypted data resident on the suspect's computer hard drive that can provide important clues to that person's password. When that data is fed into DNA, the system can create lists of words and phrases specific to the individual who owned the computer, lists that are used to try to crack the suspect's password. DNA can glean word lists from documents and e-mails on the suspect's PC, and can scour the suspect's Web browser cache and extract words from Web sites that the individual may have frequented.
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.
DNA was developed under a program funded by the Technical Support Working Group -- a federal office that coordinates research on technologies to combat terrorism. AccessData's various offerings are currently used by nearly every federal agency that does computer forensics work, according to Hansen and executives at Pasadena, Calif.-based Guidance Software, another major player in the government market for forensics technology.
Hansen said AccessData has learned through feedback with its customers in law enforcement that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.
"Most of the time this happens the password is some quirky word related to the suspect's area of interests or hobbies," Hansen said.
Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.
Having the ability to craft custom dictionaries for each suspect's computer makes it exponentially more likely that investigators can crack a given encryption code within a timeframe that would be useful in prosecuting a case, said David McNett, president of Distributed.net, created in 1997 as the world's first general-purpose distributed computing project.
=========================================
This is precisely why using something like Diceware is so important.
Fidel Castro <[email protected]>
PGP Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
Similar threads
