Access said:
Just to follow up this is on site also:
Does Hush/Cyber-Rights.Net have a "back door" that can be accessed by government agencies?
Email, which includes attachments, sent between Hush users is completely encrypted.
If I am not mistaken, both Hush and Cyber-Rights use the same backend technology.
The key phrase here is, "between Hush users".
Both Cyber-Rights and Hushmail suffer from the same deficiency: namely that they both violate one of the chief tenets of public key cryptosystems. The entire idea of a public key cryptosystem is to keep public and private keys separate. The idea is to
never give attackers access to one's private key. Both Hushmail and Cyber-Rights do precisely that, by making both private and public keys available on their servers. The only thing that protects your private key is your passphrase, which is why Hushmail recommends that you use Diceware to create a passphrase. Arnold G. Reinhold, Diceware's author, recommends 5-6 words chosen using Diceware as a Hushmail passphrase--my own
personal preference is to double that to 10-12.
What if my message is subpoenaed?
Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email.
Again, all depends on the strength of your passphrase. Furthermore, you have to depend on the person you're writing to as well to have chosen a good passphrase. A couple of years back, there was an article on the Secret Service distributed key-cracking effort, which they dubbed: DNA (Distributed Networking Attack). The entire article can be read at:
http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html
Here is an excerpt:
===========================================
washingtonpost.com
DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence
By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 28, 2005; 6:48 AM
For law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part.
More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes.
The wide availability of powerful encryption software has made evidence gathering a significant challenge for investigators. Criminals can use the software to scramble evidence of their activities so thoroughly that even the most powerful supercomputers in the world would never be able to break into their codes. But the U.S. Secret Service believes that combining computing power with gumshoe detective skills can help crack criminals' encrypted data caches.
Taking a cue from scientists searching for signs of extraterrestrial life and mathematicians trying to identify very large prime numbers, the agency best known for protecting presidents and other high officials is tying together its employees' desktop computers in a network designed to crack passwords that alleged criminals have used to scramble evidence of their crimes -- everything from lists of stolen credit card numbers and Social Security numbers to records of bank transfers and e-mail communications with victims and accomplices.
To date, the Secret Service has linked 4,000 of its employees' computers into the "Distributed Networking Attack" program. The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis.
"We're seeing more and more cases coming in where we have to break encryption," Lewis said. "What we're finding is that criminals who use encryption usually are higher profile and higher value targets for us because it means from an evidentiary standpoint they have more to hide."
Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.
[snip]
Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user. Most encryption programs urge users to pick strong, alphanumeric passwords, but far too often people ignore that critical piece of advice, said Bruce Schneier, an encryption expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif.
"Most people don't pick a random password even though they should, and that's why projects like this work against a lot of keys," Schneier said. "Lots of people -- even the bad guys -- are really sloppy about choosing good passwords."
Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.
In each case in which DNA is used, the Secret Service has plenty of "plaintext" or unencrypted data resident on the suspect's computer hard drive that can provide important clues to that person's password. When that data is fed into DNA, the system can create lists of words and phrases specific to the individual who owned the computer, lists that are used to try to crack the suspect's password. DNA can glean word lists from documents and e-mails on the suspect's PC, and can scour the suspect's Web browser cache and extract words from Web sites that the individual may have frequented.
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.
DNA was developed under a program funded by the Technical Support Working Group -- a federal office that coordinates research on technologies to combat terrorism. AccessData's various offerings are currently used by nearly every federal agency that does computer forensics work, according to Hansen and executives at Pasadena, Calif.-based Guidance Software, another major player in the government market for forensics technology.
Hansen said AccessData has learned through feedback with its customers in law enforcement that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.
"Most of the time this happens the password is some quirky word related to the suspect's area of interests or hobbies," Hansen said.
Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.
Having the ability to craft custom dictionaries for each suspect's computer makes it exponentially more likely that investigators can crack a given encryption code within a timeframe that would be useful in prosecuting a case, said David McNett, president of Distributed.net, created in 1997 as the world's first general-purpose distributed computing project.
=========================================
This is
precisely why using something like Diceware is
so important.
Fidel Castro <
[email protected]>
PGP Key: 0x9703892
Fingerprint: CFF2 9E40 8C8B 8A03 14DB D51C 44A2 2578 0970 3892
Please Scroll Down to See Forums Below 
