| Pages:
1
2 |
WizardX
Hazard to Self
Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline
Mood: wizardx.suddenlaunch3.com
|
|
Hushmail open to Feds with court orders.
Hushmail open to Feds with court orders. US federal law enforcement agencies have obtained access to clear text copies of encrypted emails sent
through Hushmail as part a of recent drug trafficking investigation.
http://www.theregister.co.uk/2007/11/08/hushmail_court_order...
Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
Anyone who communicates by any means more complex than two Dixie cups and a length of twine is subject to interception. The telecoms industry and the
national-security establishments have been intertwined since Day One.
So anyone who thinks bullshit blandishments about encryption by free email providers will protect them from law enforcement and allow them to conduct
criminal conspiracies with impunity is...naive. Dense. Dim. Dead from the neck up.
Remember, the US Government (specifically ARPA which is part of the DOD, the Pentagon) created the Internet.
The right of privacy, to the extent that it exists at all in cyber, does not give anyone a license to engage in crime.
Sic gorgeamus a los subjectatus nunc.
|
|
|
S.C. Wack
bibliomaster
Posts: 2419
Registered: 7-5-2004
Location: Cornworld, Central USA
Member Is Offline
Mood: Enhanced
|
|
http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.htm...
As the original article says, this only applies if you're not running the crapplet. Any moron who would disable Java before signing in and thus expose
themselves get what they deserve.
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
Hushmail's spam filter, which originally was quite effective, is now less than 50% effective.
Anyway, Hushmail is a Canadian company and the court orders it has complied with are Canadian court orders.
Despite that I seriously advise anyone not to think that any applet is going to protect anyone from national-agency level access, period, full stop.
[Edited on 11-11-2007 by Sauron]
Sic gorgeamus a los subjectatus nunc.
|
|
|
chemrox
International Hazard
Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline
Mood: LaGrangian
|
|
I'm going to take issue with my friend Sauron's implication that using hushmail and relying on it for privacy implies involvement in crime is dead
wrong. It is like saying that putting your letters in an envelope indicates your having something to hide. I had a hushmail address so I could
comunicate with a partner on patent application matters. I might not want some publication starved prof reading my geochem reports either. And, I'm
sure this is quite common, what if my sexual mores don't conform and I don't want that made public? In Amerika, and I love the country my forefathers
founded, nearly everything is proscribed and/or required by some statute, regulation, code, registration, ..etc. We're due for another revolution.
The Supreme Court of the US, in Roe v. Wade, found that the 1st, 2nd, 4th, and 5th Amendments collectively created a right to privacy. Furthermore
the whole concept of a free people means a right to privacy without which the word "freedom" is meaningless. The biggest threat to a democratic
society is the citizen who believes, "if you have nothing to hide... " Am I passionate about this? Yes! Sorry for the blog but this is important to
me. Now having sounded off as I have, I agree with Wack for a change, if a guy is dumb enough to rely on server side provided privacy *he* gets what
*he* deserves. (I love English grammar too.) After agreeing that the guys were stupid to carry on crimes assuming they were over the internet using
a privacy service, it is still a sad day and evidence of how far a controlling corrupt misguided administration will go toward its less than admirable
ends. As a practical matter, wouldn't regular email and rigorous use of PGP have been a better choice? I only got the hushmail because my buddy had
trouble managing his PGP files.
[Edited on 10-11-2007 by chemrox]
"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
God damn it, that is NOT what I said.
What I said was that "free encrypted email" is not really secure, and that ANYONE who thinks it is secure from official scrutiny is living in a fool's
paradise.
I'm a Hushmail user myself, so I would hardly equate using Hushmail per se with criminality.
However, clearly, the email provider is perfectly willing to cooperate with legitimate government demands and that is perfectly fine with me.
What astonishes me is the naivete of anyone who ever thought otherwise.
Sic gorgeamus a los subjectatus nunc.
|
|
|
MadHatter
International Hazard
Posts: 1332
Registered: 9-7-2004
Location: Maine
Member Is Offline
Mood: Enjoying retirement
|
|
Encryption
Using encryption on the server side was clearly what got these idiots caught. No
encryption system is perfect but damn it, I'll encrypt from MY side. Those guys also
impress me as being lazy.
[Edited on 2007/11/11 by MadHatter]
From opening of NCIS New Orleans - It goes a BOOM ! BOOM ! BOOM ! MUHAHAHAHAHAHAHA !
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
chemrox, my advice is that if you want to protect your proprietary business information, then encrypt it onto a flash drive on a standalone machine
and courier it to your partner or lawyer and have him decrypt it on his own standalone. Putting anything on the Net or on a network and relying on
encryption for security is false security. Physical security is better, and encrypting en route keeps prying eyes out.
Sic gorgeamus a los subjectatus nunc.
|
|
|
chemrox
International Hazard
Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline
Mood: LaGrangian
|
|
thanks Sauron - I agree- our (net) conversations have been very conceptual btw but you're right. Madhatter, I couldn't agree more. Still I wish
Hushmail had put up more of a fight, on principle..
"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
Hushmail would have been cited for contempt of court in a NY minute if they had refused to comply with a lawful court order.
That tends to make the judge see red.
Sic gorgeamus a los subjectatus nunc.
|
|
|
WizardX
Hazard to Self
Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline
Mood: wizardx.suddenlaunch3.com
|
|
| Quote: | Originally posted by chemrox
Still I wish Hushmail had put up more of a fight, on principle.. |
I concur! On the principle that Hushmail allowed a weakness on their system, that the Feds exploited.
Hushmail should force the downloading and execution of the java applet period, to ensure the highest secure cryptology.
Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
As a Hushmail user, I can assure you that should Hushmail make the use of their Java applet mandatory instead of at the discretion of the user, I
would drop my Hushmail account like a hot rock.
I set up that account because I was tired of being poked and prodded by Microsoft (Hotmail) "for my own good" so I am sure as shit not going to sit
still for Hushmail forcing me to use encryption that I neither want nor need.
Sic gorgeamus a los subjectatus nunc.
|
|
|
WizardX
Hazard to Self
Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline
Mood: wizardx.suddenlaunch3.com
|
|
When using this secure web-based email system, you have the option of enabling or disabling Java support. Turning on Java provides an additional layer
of security, but is not necessary for secure communication using this system. To learn how to install Java, click here (recommended).
https://www.hushmail.com/hushmail/showHelpFile.php?file=comp...
Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
I repeat: I have no need for "secure communications"
I especially have no need for insecure "secure communications" in which the "security" is a cynical and transparent mendacity.
Anyone who NEEDS truly secure communications and communicates on the Internet, is a fool. One might as well shout his secrets from the rooftops. Or
put them on a web page.
A federal agent friend told me, oh, thirty years ago, that if criminals would just wise up and stop talking on the telephone, they'd be a lot harder
to catch.
He was not particularly referring to wiretapping or NSA intercepts, but to simple phone logs - lists of calls sent from and received by a particular
number, and which are maintained by every telephone service provider. Federal agencies can obtain these just by administrative subpoena - not a court
order, but merely a written request from the agency to the phone company.
Let's see, who was President at that time? Jimmy Carter. And it was nothing new.
My point is: telecommunications and REAL security do not happily coexist. The government spends a great deal of money making sure that their commo is
secure and another great deal of money making sure that no one else's is. And they succeed to an extent you are never likely to know.
I put as much faith in Hushmail's "secure" email as I do in the protection afforded to someone against knives and guns supposedly afforded by certain
Buddhist amulets. What a quaint notion!
Sic gorgeamus a los subjectatus nunc.
|
|
|
Phosphor-ing
Hazard to Others
Posts: 244
Registered: 31-5-2006
Location: Deep South, USA
Member Is Offline
Mood: Inquisitive
|
|
What do you think about Stealth Message?
http://www.stealthmessage.com/
I personally like the self destruct feature. doesn't allow anyone to keep sensitive information.
|
|
|
vulture
Forum Gatekeeper
Posts: 3330
Registered: 25-5-2002
Location: France
Member Is Offline
Mood: No Mood
|
|
Just use fucking PGP?
One shouldn't accept or resort to the mutilation of science to appease the mentally impaired.
|
|
|
JohnWW
International Hazard
Posts: 2849
Registered: 27-7-2004
Location: New Zealand
Member Is Offline
Mood: No Mood
|
|
If you were REALLY smart, you would use TWO forms of encryption to conceal the content of incriminating emails: - one encryption using PGP; and the
other consisting of a special code made up in advance between the parties to the communication, in which incriminating words are replaced by innocuous
code-words (e.g. "missile" replaced by "chicken"). A third type of encryption could be added to these, in which letters and numerals are replaced by
others chosen from not only alphanumeric characters but also other symbols from the ASCII character set. Commonly-used letters like "a" and "e" could
be replaced by several different code-characters used at random, so as to foil frequency-analysis decrypting.
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
People who believe in unbreakable encryption available to the public remind me of Hitler's faith in the Siegfried Line.
Misplaced and illusory in both cases.
Sic gorgeamus a los subjectatus nunc.
|
|
|
chemrox
International Hazard
Posts: 2961
Registered: 18-1-2007
Location: UTM
Member Is Offline
Mood: LaGrangian
|
|
PGP is theoretically breakable by brute force but the investment in computer resources is formidable even for NSA and it would have to be a high alert
NSA issue for a successfull PGP attack. Like Asama Bin Laden's whereabouts or plans.
"When you let the dumbasses vote you end up with populism followed by autocracy and getting back is a bitch." Plato (sort of)
|
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
That's the conventional wisdom from outsiders. The insiders are happy to aid and abet that assumption. Personally I would not give a plugged nickle
for the accuracy of that statement.
The French used to believe in the Maginot Line, at one time. As Patton said: fixed fortifications are monuments to the stupidity of man.
Sic gorgeamus a los subjectatus nunc.
|
|
|
not_important
International Hazard
Posts: 3873
Registered: 21-7-2006
Member Is Offline
Mood: No Mood
|
|
If the NSA had anything better than massive hardware arrays to crack compromised encrypted messages, I doubt that Clinton's Clipper Chip and the
"crypto is munitions" nonsense would have come about. Better to just be quite and let cryto algorithms the the NSA knows how to lockpick get widely
used.
Not every crypto-nerd is a amoral geek working for the NSA or its kin, there's a number of independent workers who have gone over the leading
algorithms looking for weaknesses. So far there's only been minor weaknesses found when using poor keys, special message strings, or limited versions
of the algorithms.
Brute force decodes with an iterated key, looking for output that meets statistical tests for being meaningful. As most encryption gives output that
is close to random noise, encrypting with one algorithm and key, then encrypting the output with a different key and perhaps algorithm makes brute
force much more difficult; each attempt on the outer coding must have its result test via brute force to se if the outer key has been found. The
result 2^400 or larger number of trials to break the coding still takes a long time with any known existing hardware.
The NSA is interested in quantum computers as a way to speed up brute force attacks, but there's no evidence that they've some breakthrough; given
the nature of the US government in this century it's likely such work would have been farmed out on a no-bid contract to politically connected
companies, who would do the same quarter-assed job as they done with other such contracts. The story may be different if the Chinese and Indians
start cooperating on such tasks, but the NSA won't be getting the results of that research. The current US administration is more likely to declare
the people involved with the crypted message to be terrorists and pack them off to some corner of the world where they can be waterboarded into
revealing what the message was, or at least to saying that the message was what the government wants it to be.
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
| Quote: | Originally posted by Sauron
That's the conventional wisdom from outsiders. The insiders are happy to aid and abet that assumption. Personally I would not give a plugged nickle
for the accuracy of that statement.
The French used to believe in the Maginot Line, at one time. As Patton said: fixed fortifications are monuments to the stupidity of man.
|
Thanks, not_important, for saving me the effort of typing out what you did. As another piece of evidence against the capability of governments to just
decrypt whatever messages they please, cases against high-level mob figures and drug chemists who used encryption have involved planting keyloggers on
the suspect's computer. There's no evidence of the government breaking strongly encrypted messages at-will and all open academic research suggests
that sort of capability would be extremely expensive, even when compared with the large budgets of national intelligence agencies. Believing that the
NSA can easily read any message it pleases is akin to believing that NASA has secret manned bases on Mars -- unsupported by any empirical evidence and
strongly suggested against by the facts that are available.
That's not to say the government can't eventually get people who use encryption, if it's important enough, but the attack will be an end-run around
your security (trojans, keyloggers) rather than a frontal assault on it.
PGP Key and corresponding e-mail address
|
|
|
unionised
International Hazard
Posts: 5103
Registered: 1-11-2003
Location: UK
Member Is Offline
Mood: No Mood
|
|
"People who believe in unbreakable encryption available to the public remind me of Hitler's faith in the Siegfried Line."
How do you propose to crack one time pad?
Last I heard it was still secure. A pita, but secure.
|
|
|
WizardX
Hazard to Self
Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline
Mood: wizardx.suddenlaunch3.com
|
|
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
| Quote: | As of 2006, the only successful attacks against AES have been side channel attacks. The National Security Agency (NSA) reviewed all the AES finalists,
including Rijndael, and stated that all of them were secure enough for US Government non-classified data. In June 2003, the US Government announced
that AES may be used for classified information:
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the
SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect
national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use." — [2]
This marks the first time that the public has had access to a cipher approved by NSA for encryption of TOP SECRET information. Many public products
use 128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety
margin for top secret documents (which may require security decades into the future). |
Cryptanalysis.
http://en.wikipedia.org/wiki/Related-key_attack
http://en.wikipedia.org/wiki/Chosen-plaintext_attack
http://en.wikipedia.org/wiki/Side_channel_attack
Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
|
|
|
WizardX
Hazard to Self
Posts: 61
Registered: 11-8-2005
Location: wizardx.4shared.com
Member Is Offline
Mood: wizardx.suddenlaunch3.com
|
|
Side channel attack. http://en.wikipedia.org/wiki/Side_channel_attack
In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than
theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even
sound can provide an extra source of information which can be exploited to break the system. Many side-channel attacks require considerable technical
knowledge of the internal operation of the system on which the cryptography is implemented.
Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically called side-channel attacks: see social
engineering and rubber-hose cryptanalysis. For attacks on computer systems themselves (which are often used to perform cryptography and thus contain
cryptographic keys or plaintexts), see computer security.
One simple intelligence gathering that will drastically increase a brute force attacks is knowing how many characters in the password.
Example. Let's assume this password: cGd6uB91V4ma
In a password field box it will look like this: ************
12 characters in the password cGd6uB91V4ma
Therefore, you can narrow a brute force attack to a 12 character password, as you know the password has ONLY 12 characters. Of course, you will need
to generate ALL passwords with upper & lowercase alphabet, 0-9, symbols and hex.
Albert Einstein - \"Great ideas often receive violent opposition from mediocre minds.\"
|
|
|
| Pages:
1
2 |
![[*]](images/xpblue/default_icon.gif){kind=icon}
