Re: [PLUG] Reasonably secure email

Randall A Sindlinger on 5 Jan 2009 10:57:43 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Reasonably secure email

From: Randall A Sindlinger <rsindlin+plug@seas.upenn.edu>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] Reasonably secure email

Date: Mon, 5 Jan 2009 13:57:34 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mutt/1.5.16 (2007-06-09)

On Mon, Jan 05, 2009 at 12:11:53PM -0500, Art Alexion wrote: > > > but the emails are still encrypted; they're just making the > > password accessible, if I read it correctly. > > The way I read it, Hushmail sent the targets a hacked version of the encryptor > that seemed to add a "backdoor key" that allowed decryption. Whether or not > the Feds used the backdoor key or Hushmail used the key and delivered the > email to the Feds unencrypted seems of no significance. > My take was based on this: "That everything seems to include sending a rogue Java applet to targeted users that will then report the user's passphrase back to Hushmail" -from http://www.privacydigest.com/2007/11/19/hushmail+warn+users+law+enforcement+backdoor > > > Nothing the feds *couldn't* > > do, just hushmail is doing it for them, IMO. > > Are you suggesting that the Feds could crack the PGP keys without Hushmail > deceiving their customer with a hacked encryptor? > No, no. I'm suggesting the Feds could set up a Man-in-the-Middle attack, or equally effective ruse, to deliver their own rogue version of the Hushmail Java applet and trick the suspect into divulging their password, without any cooperation from Hushmail. As said in another thread "Criminals go after the low-hanging fruit." Not necessarily so for the Feds :-) > Hushmail honors the subpoena by delivering the encrypted email, and letting > the Feds try to do with it what they can. Deceiving customers with a hacked > encryptor is well beyond their legal obligations under the subpoena. > > What complicates this one is the international aspect. Hushmail was > responding to a Canadian subpoena. I don't have a clue what a Canadian > subpoena requires. The Canadian authorities issued the subpoena at the US > authorities' request. > Precisely. The privacydigest article suggests as much in quoting Hushmail as saying "That means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently" -Randall ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

Re: [PLUG] Reasonably secure email
From: Randall A Sindlinger <rsindlin+plug@seas.upenn.edu>

Re: [PLUG] Reasonably secure email
From: Art Alexion <art.alexion@gmail.com>

Prev by Date: Re: [PLUG] monitoring employee web browsing

Next by Date: [PLUG] Matrox G400 AGP dual head

Previous by thread: Re: [PLUG] Reasonably secure email

Next by thread: [PLUG] monitoring employee web browsing

Index(es):

Date

Thread