A Cryptome DVD is offered by Cryptome. Donate $25 for a DVD of the Cryptome 11-years archives of 41,000 files from June 1996 to June 2007 (~4.4 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

8 November 2007

Date:	Wed, 7 Nov 2007 06:43:02 -0600 (CST)
From:	"J.A. Terranson" <measl[at]mfn.org>
To:	cypherpunks[at]al-qaeda.net
Subject: For those who missed it: Hushmail is pwnd

Hushmail and DEA have an "MLAT" ("Mutual Legal Assistance Treaty")???


J.A. Terranson

What religion, please tell me, tells you as a follower of that religion to
occupy another country and kill its people? Please tell me. Does
Christianity tell its followers to do that? Judaism, for that matter?
Islam, for that matter? What prophet tells you to send 160,000 troops to
another country, kill men, women, and children? You just can't wear your
religion on your sleeve or just go to church. You should be truthfully

Mahmoud Ahmadinejad

---------- Forwarded message ----------
Date: Mon, 5 Nov 2007 00:01:41 -0600
From: travis+ml-cryptography[at]subspacefield.org
To: auto37159[at]hushmail.com
Cc: cryptography[at]metzdowd.com
Subject: Re: Hushmail in U.S. v. Tyler Stumbo

On Tue, Oct 30, 2007 at 12:27:53PM -0400, auto37159[at]hushmail.com wrote:
> I stumbled across this filing:
> http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf

I probably shouldn't say anything about this, but whoever made this
PDF failed to properly redact the personal information in #10, just
like the NYT failed to do with the names of the people who helped the
US in Iran.

I can simply switch desktops and see the numbers underneath before the
rectangles are drawn over them (possibly on another layer).  Actually
the box on #14 seems to work, possibly because it is larger, or was
done differently.

> What I found interesting was:
> 1.  The amount of data which Hushmail was required to turn over to
> the US DEA relating to 3 email addresses.  3 + 9 = 12 CDs  What
> kind of and for what length of time does Hushmail store logs?

You would think that they would store the minimum or none, so that
they didn't have to answer such requests.  In the US, companies can
require compensation for resources spent filling these requests, but
many do not for fear of increased scrutiny by law enforcement.

I have been around when my department at a Usenet server had to fill
these kinds of requests on posts from people selling GHB or something
like that.  They pretty much write their subpoenas as wide as
possible, pretty much "any record you have about..." and then they
give you every relevant piece of identifying information they have.  I
think you have to swear under penalty that you got them everything.
Sorry bro....

IIRC, there were laws passed in Europe dictating minimum retention
times for ISPs and such.  They may have been passed in Canada and the
US as well.  I guess the legal theory is that when a business offers
services to the public they give up some rights over private property.

Probably they did the minimum work to comply, which means that the
CDs are either mostly empty, or full of unrelated data.

> 2.  That items #5 and #15 indicated that the _contents_ of emails
> between several Hushmail accounts were "reviewed".


> 3.  The request was submitted to the ISP for IP addresses related
> to a specific hushmail address (#9).  How would the ISP be able to
> link a specific email address to an IP when Hushmail uses SSL/TLS
> for both web and POP3/IMAP interfaces?

It appears he used IP addresses gathered from #4.

> Since email between hushmail accounts is generally PGPed.  (That is
> the point, right?)  And the MLAT was used to establish probable
> cause, I assume that the passphrases were not squeezed out of the
> plaintiff.  How did the contents get divulged?

My guess is that Hushmail has had subpoenas before and had to develop
and install a modified java applet which captures the passphrase when
the user enters it.  With that and the stored keys, it can decrypt all
the stored communications.

If that's true, I wouldn't expect them to trumpet it, since it would
mostly negate their value proposition.
Life would be so much easier if it was open-source.
<URL:http://www.subspacefield.org/~travis/> Eff the ineffable!
For a good time on my UBE blacklist, email john[at]subspacefield.org.

Date: Wed, 7 Nov 2007 14:18:57 -0500 From: "Roy M. Silvernail" <roy[at]rant-central.com> To: cypherpunks[at]al-qaeda.net Subject: Re: For those who missed it: Hushmail is pwnd On Wed, Nov 07, 2007 at 06:43:02AM -0600, J.A. Terranson wrote: > Hushmail and DEA have an "MLAT" ("Mutual Legal Assistance Treaty")??? > > Wow. Sweet syphillitic Jeebus!  I have *got* to stop glossing over the stuff in comp.encryption.general.  I saw a bunch of items on this go by, but didn't see the MLAT mentioned in the headlines.  (maybe RSS isn't all that great?) Note that the MLAT is actually between the US and Canada, and according to http://travel.state.gov/law/info/judicial/judicial_690.html, it's been in effect since Jan. 24, 1990.  So while Hushmail is pwned, it's pwned by Canada, which is in turn pwned by the US.  But then, a difference which makes no difference isn't really a difference.  I'm just glad I never used/trusted Hush. -- Roy M. Silvernail is roy[at]rant-central.com, and you're not    "A desperate disease requires a dangerous remedy."                    - Guy Fawkes             http://www.rant-central.com
Date: Wed, 7 Nov 2007 11:37:22 -0800 (PST) From: Len Sassaman <rabbi[at]abditum.com> To: "J.A. Terranson" <measl[at]mfn.org> Cc: cypherpunks[at]al-qaeda.net Subject: Re: For those who missed it: Hushmail is pwnd On Wed, 7 Nov 2007, J.A. Terranson wrote: > My guess is that Hushmail has had subpoenas before and had to develop > and install a modified java applet which captures the passphrase when > the user enters it.  With that and the stored keys, it can decrypt all > the stored communications. I wouldn't be so certain -- getting subpoenas is no big deal for companies. At Anonymizer, I answered lots of them. Most of the time, I couldn't comply. (If you pay for your Anonymizer account with your credit card, and the Feds want to know if you bought an Anonymizer account, well, you screwed up. Otherwise, I told the guy on the phone the truth -- I had nothing in my logs about that IP address, sir. And they went away, quickly and without fuss, unlike when I've had to deal with the same thing as a private remop.) Of course, that was in 2003 and times have changed all around -- I don't think Hushmail was handing out info to TLAs back then either. Possibly, the problem here is Hushmail's move away from using its Java applet as default. (It has two modes now -- securish and securisher, from what I can tell, and the more secure "everything happens in the browser, including all key operations" part is the optional step now. In the less secure case, while I haven't analyzed it yet, I believe the keys in those cases are being stored decryptable on the server. The passphrase is almost certainly passed to the server.) But, also, bear in mind that Hushmail has *always* allowed people to send non-PGP messages, especially to non-Hushmail users. If one party was a Hushmail user, and one party was not a PGP user, then PGP's not going to be involved. Regardless, boo for Hushmail for not disclosing that they were answering subpoenas like this. ... There *are* bigger forces at play, though. The "mutual assistance" provisions of the Council of Europe cybercrime treaty are horrible, as are these data retention laws. These are going to affect companies based in any country signed to that treaty, including the US. Hushmail, in the end, is relatively weak compared to other Cypherpunk tools, and other ways of using them. The big They are trying to make those other tools and uses illegal. Already we have people in the academic privacy field scampering to appease their new masters, and trying to find ways to do backdoored anonymity safely (are you kidding me? We haven't even worked out the kinks with regular anonymity systems.) But in the end, those are academics scared that their field is going to be made illegal, and so their actions are understandable, if deplorable. Likewise for whatever Hushmail may be doing. A statement from the folks over there would be nice. --Len.