Slashdot Mirror

***** Hard to see how to avoid the hushmail scenario ***** http://www.wired.com/threatlev... ***** http://www.wired.com/threatlev... ***** https://www.hushmail.com/about... ("But I thought the data was always encrypted") *****

EFF Action: Demand Answers Now! [Direct e-mail form to contact POTUS and your senators+House rep]:
https://action.eff.org/o/9042/p/dia/action3/common/public/?action_KEY=9260
https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9297 [Form for non-US citizens; directed at implicated corporations]

The links below are to resources of the personal-privacy type, as opposed to the those intended to help bring about change:

EFF Surveillance Self-Defense Project [Guide to surveillance-avoidance tools and techniques for individuals]:
https://ssd.eff.org/

EFF's HTTPS Everywhere [Chrome/FF plug-in enforces HTTPS on compatible sites using rule-list (hundreds included)]:
https://www.eff.org/https-everywhere

https-finder: Plug-in for HTTPS Everywhere users; auto-detects sites' HTTPS support and adds them to rule-list:
https://code.google.com/p/https-finder/

Privacy-oriented search engines:
https://duckduckgo.com/ [Only search engine on EFF's Organizational Member list]
https://ixquick.com/ [Provides HTTPS proxy through which search results may be accessed]

Privacy/security-oriented free web-mail providers:
https://www.safe-mail.net/
https://www.hushmail.com/

Well, in defence of the Democrats....

* This is a good thing, since (hopefully) it will encourage people to encrypt all of their correspondence. Go use http://www.hushmail.com/ if your people are too lazy to have a key exchange party with you. Hopefully more services will crop up to make strong encryption use transparent to the average user.

* This is a concession to the Republicans, since if you haven't noticed, they're filibustering every little budget item to get basic budget bills passed. And that makes sense, because basically that's all the power they have at the moment, so they're using it to great effect to get sweet, sweet concessions that go unnoticed by liberals since they think their party is "in charge". But bills are compromises. The democrats will continue to compromise their core values as concessions just to get government to function.

* Eh, why am I defending the Democrats, they're right of Reagan anyway. http://www.huffingtonpost.com/cenk-uygur/who-is-more-conservative_b_638947.html

(voted third-party, FWIW)

In light of email leaks and similar stories in the media, I wish there was more coverage how to prevent such leaks in the first place. I recommend services that offer encrypted email services like Hushmail and CryptoHeaven. Hushmail http://www.hushmail.com/ for its browser accessible web interface and CryptoHeaven http://www.cryptoheaven.com/secure-email-hosting.htm because of the transparent encryption for email and files which anyone can use with ease.

Some friends in Cairo would like to bypass some of the online censorship measures. I've quickly suggested some things (below) to consider overnight. What have I missed?

Anonymous connection:
No:
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking

But:
https://www.eff.org/https-everywhere/

Also:
http://www.hotspotshield.com/

And services like:
http://filesharefreak.com/2008/10/18/total-anonymity-a-list-of-vpn-service-providers/
but verify on the ground.

Only if they understand the tradeoffs:
http://www.privoxy.org/
https://techstdout.boum.org/TorDns/

Avoid random lists of anonymous proxies or DNS servers.

To secure the computer:
Use a popular boot disk that leaves nothing behind, e.g.:
http://www.ubuntu.com/desktop/get-ubuntu/download

Remove metadata:
http://owl.phy.queensu.ca/~phil/exiftool/
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=144E54ED-D43E-42CA-BC7B-5446D34E5360&displaylang=en
and similar for other files they may deal with.

Delete/wipe files securely.

Many uses:
http://mailinator.com/
http://www.hushmail.com/

Consider:
http://www.disconnectere.com/
and its analogues

And I'm totally unimpressed that many people aren't upset over this.

Time to move over to https://www.hushmail.com/ I guess.

It appears that this was reported back in 2007 on The Register.

There is indeed a clause in the clarified terms of service mentioned by the above article that states that your data is not safe from law enforcement authorities with a court order from Supreme Court of British Columbia, Canada:

We are committed to the privacy of our users, and will absolutely not release user data without a court order from the Supreme Court of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such court order refer specifically by email address to any account for which data is required. However, if we do receive such a court order, we are required to do everything in our power to comply with the law. Hushmail will not accept a court order issued by any authority or investigative agency other than the Supreme Court of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that a court order be issued by the Supreme Court of British Columbia, Canada.

Here is better link: https://www.hushmail.com/hushmail/showHelpFile.php?file=compatibility/java/index.html It is a simple table matrix of differences. If you can't take away the pro/con and what it means to run your encryption scheme on a 3rd party server then you have overstepped your technical competency. This is no fault of Hushmail. They spell it out in black in white. I am so tired of a board like slashdot with the false arrogance of presumed superiority vs. the masses.

Actually, I would expect someone to hit their technical FAQ http://www.hushmail.com/help-faqs2?PHPSESSID=eec0a49a477ecd863c4f97f20849d434#roleofjava

From their FAQ.

You can try http://www.hushmail.com/ which includes free secure webmail but with limited space.

I don't see how phone call monitoring is any different to the records your ISP is required legally to keep about every url you visit. Please explain the difference.

1. In the UK, your ISP is not legally required to keep URL histories for their customers. There is a voluntary code of practice that suggests that they should track the hostnames of sites you access through their proxy servers. As long as you aren't using a proxy (and they aren't transparently proxying), you should be fine.
2. While they do track every e-mail sent via their servers (and are, I believe, legally required to), this can easily be circumvented by not using their e-mail service (which I don't). The only way of avoiding phone call monitoring (other than not using phones!) is using a voice scrambler. I understand that this technology is expensive, difficult to use, and (in the UK) illegal.

Goggle already tracks all the emails I send through their system, and uses it for their commercial advantage - were it not google doing this it'd be yahoo, or NTL

Try a different system, if you're concerned. Hushmail PGP-encrypts all email on arrival without any other processing, and never has an unencrypted copy of your private key on their servers.

even if I used my own mail server, every ADSL contract I have ever seen has a clause in there that allows them to monitor the traffic from servers that you run

Yes. Their acceptable use policy would be unenforceable otherwise, because they have to be able to collect evidence that you've breached it. There's nothing sinister here; they don't routinely packet-sniff and log the details of communications sent to servers you run. Only if there's a complaint.

Companies, employers, parents etc already have access to your credit history

In the UK, nobody has (legal) access to your credit history unless you give them permission. Employers aren't even allowed to ask.

Now were the govenrment to bring in a law that would allow them to hold people for as long as they want wothout evidence or reason, then that would be something to worry about

You mean the fact that they already have this power over anyone who isn't British (Anti-terrorism, Crime and Security Act 2001) isn't worrying enough?

Police have always been able to search your home without telling you - with a court order - this doesn't ever seem likly to change.

Yes, but the court is independent of the police, (theoretically) non-political, and must be convinced that there is a good-enough reason to do so. Given that the power must exist (I think this is reasonable), then this is the best way of having it.

They can tap your phone, gain access to your Internet communications and require anybody who they can show grounds to believe has access to present your encryption keys to them without ever involving a court (Regulation of Investigatory Powers Act 2000). This is the real problem.

I've been using a telnet bbs on & off since 95. The numbers there dropped substantially for a while around the end of the 90s, but seem to have been stable since.

But the dialup BBS may come back to life as a secure email route -- as a method where you are NOT sending packets through a gov't interception point at your local ISP.

I think secure webmail (e.g. hushmail) will be a more popular approach than that. It's hard to know for sure how secure either method is, unless you know the folks running the system, but the webmail is simply easier to use.

TOR and PGP/GPG.. enough people have mentioned them that I will only touch on them in passing. No sense in beating a dead horse. Encrypt whatever traffic you can. If you can set up SSH tunnels to connect to a proxy server that connects to the TOR network or FreeNet, do so. Just remember that not all of the ingress/egress points you will contact will be friendly. Use webmail sites to set up disposable e-mail addresses. Hushmail is good for encrypted webmail, unless you don't mind writing all of your e-mails offline, encrypting them, and attaching them to webmail messages. Don't leave any sensitive information laying around on your computers' hard drives (who on Slashdot has only one computer?) that isnt' encrypted. PGP or GPG are good for encryption.. encrypted filesystems are useful, too. Set up encrypted swap partitions if you are able to so that sensitive data can't be written to disk for possible retrieval. Consider removable storage: Encrypt files and move them to a USB key, compact flash card, or something else to get them off the Net entirely. Use secure erase programmes (like shred) to erase the originals. Consider filling up the file systems of your hard drives with junk (copy a big file from the OS, like the kernel image until the filesystem is full, erase the copies, do it again) to scramble the latent data in slack space. Don't let your web browser accept every cookie it's offered. It doesn't take much time to look at a popup window when you go to Foomail.com, see that the cookie would be from drax.bar.com, and hit "Don't set cookie for this site ever." Set up another user account on the computer you do all of your web browsing on and browse from there. Write a little script that securely erases the contents of that user's home directory every time you log off or power down the machine. Erase your cookies and browser history periodically. Less scrupulous folks might want to consider using the world's largest wireless hotspot (ESSID 'LINKSYS') for their less savory activities. Remember that this is probably illegal in your area. Or go to a library or a local coffee shop that offers free wireless.

If you find encryption to be painful, you can use Hushmail. They make PGP easy for noobs. See http://www.hushmail.com/

http://www.hushmail.com/

You could also just use Hushmail. If it is encrypted on the server and only you have the key, then you have some basic protection in place. Unless you would have to be doing something interesting enough for a three letter agency to spend time cracking it, you probably do not need much more than that. I'm not doing anything that interesting, so it's good enough security for me.

Of course, it has a much more cumbersome UI than those others, but that's a trade off.

Hushmail.

The Hushmail service uses PGP and allows you to encrypt your messages with PGP and recieve PGP encrypted and signed messages. Be sure to pick a good passphrase!

For that reason, site like Hushmail allow a SSL-secured web-based confidential mail.

If you're concerned about your email security, why not...oh, I don't know, buy a domain, web, and email hosting? Heck, you could even run the mailserver off your own DSL line at home and delete your own mail thoroughly. There. Problem solved.

Oh? You need to send mail to other people? Hmm. Gee. How about that wonderful thing called "PGP"? Thunderbird has built-in support for S/MIME security, and with the addition of the Enigmail extension has built-in PGP support. I use it daily for private emails. How much does it cost? Nothing.

If you need to access secure email from remote locations, or possibly have a psuedo-anonymous account, check out http://www.hushmail.com/. It's free (they also offer paid services), will generate PGP keys for you on the spot, yet all the encryption/decryption is done via a Java applet on your computer, such that even Hush can't read your email. They even have a "generate random address automatically" feature for those truly concerned about anonyminity. Yes, the keys stay on their server, but if you're truly concerned about the authorities, choose a very difficult passphrase -- they can only subpoena your keys; without the passphrase they can't decode them.

Oh, and Hush is located in Canada too.

Yeah, maybe someone should come up with a webmail client that seamlessly incorporates SSL and PGP crypto--oh, wait, it's been done.

You may want to take a look at http://www.hushmail.com/ who uses pgp compatible secure log-in's and it's webased.

I don't think we'll see action on this area until people start sending annonymous copyright takedown notices to the ISP's of members of congress, as well as the heads of major corporations, showing them the folly of giving others full control over your life and business without due process. Of course such a thing would be illegal and dangerous, and a person would have to be crazy to do such a thing. After all, laws are a social contract, which we must obey in order for society to function. In a society ravaged by terrorism like ours, sending mixed messages is the last thing we can afford.

Is it Hushmail? ...at least on Mac. They claim it works with Safari, but I could never get it to work. On the other hand, I don't suppose it is nearly as difficult to get Mac IE users to switch to something else.

While I have observed this trend myself, I humbly submit the following idea that occured to me over coffee at Waffle House this evening:

Perhaps the very fact that they can't agree can be used to everyone's advantage. Everything is a matter of perspective, largely dependent upon the resolution of your viewing equipment. Projecting to a near-term future where ubiquitious computing is realized (Magic Kingdom style), we see a massive number of discrete capitalist micro-transactions taking place at a very fast pace.

From each individual's perspective, he's "buying resources" and "selling goods" he's produced so rapidly that he feels as though his needs are being met automatically. Zooming out to a global perspective, it appears that the entire planet is operating in a highly socialist manner. High density and frequency of individual capitalist transactions results in global socialist outcome. I guess this depends on population density to work well, though. Signs of this sort of emergent behavior are already being exhibited in densly populated and technologically advanced societies such as Japan. No wonder Gibson likes those folks so much...

Incidentally, I have a strong gut feeling that any person or group attempting to exercise control over such a vast system will feel the unfortunate backlash we've come to recognize from such famous experiments as the War on Drugs.

In other words, we're proving that current attempts at regulating free market behavior only serve to prove economists right by producing black markets devoid of said regulation. There's no reason the math would work any differently in the future, and considerable reason to believe that regulatory bodies will become increasingly impotent. Then there's the question of motivation: if everyone can easily obtain everything they want anyhow, what reason would even the worst egomaniac have for trying to control the system? It would be kinda like moonshiners trying to control the liquor market while consumers can buy legit product for $10 a jug.

I'd like to compliment you: I have a hard time finding many people who help me generate/refine ideas this way. You seem like a cool person. As stated in my last reply to your post, I'd be honored if you'd be willing to toss around more ideas with me from time to time. Please consider donating a few bytes of your bandwidth to pparadis@transops.net if you have a couple of minutes to spare here and there. If you're concerned about your privacy (a guess considering your non-public email), I highly recommend creating a free account at some free mail provider (more disk space now, competition is so yummy) or HushMail. Thanks!

Also, for the tinfoil lovers in the audience, there is hushmail which I believe has been discussed here before. MUCH slower than fastmail, but very secure.

Hushmail has a keyserver holding private keys so you only have a key used for email and this is available anywhere. Its cool but I stopped using it since nobody I talked to used it.

Personally I like the encryption idea and wish it was integrated into more webmail sites. Hushmail has a pretty interesting implementation of this, having all the email stored encrypted on the server and the user views their email locally by decrypting it with a java applet. I'm dissapointed more people aren't interested in encryption (if more people were maybe there would be more services like this).

Though I'm not sure if that could be implemented with gmail, how would you search and organize a gig of email without decrypting all of it?

Well, you could do it like Hushmail does, and encrypt the mail using a client-side java applet so the mail is already encrypted before it even gets to their servers.

Incorect use of word every See..

I use 2048 bit keys. These guys use 2048 bit keys in a free encrypted email service. And I'm not saying the NSA isn't ahead of the curve. I'm saying they don't have some kind of space man science, which is what it would take to crack a reasonable length key.

Anyone who really needs things encrypted should be using 2048 bit keys.

hmm... should this have been 'news'? most people (well, at least on here) know of sites like Hushmail which offer much better (and still free) security for web-based email. Hotmail and Yahoo are... well, about as secure as windows :)

It does when you use hushmail.

If google really wants to do something worthwhile with email, they should go out and purchase hushmail. I happen to be a big fan of their service (web based PGP compatible email!) but I loathe how *few* people actually use encryption in email. If a powerhouse like google offered not just webmail, but *encrypted* webmail, I bet that the conversion rate would be pretty mind-blowing and voila, the huge bump encryption / PGP / GPG needed to get to the point of critical mass.

Can you imagine a world in which you can say to someone: "what you mean you don't encrypt your emails?" Please make it so google!

https://www.hushmail.com relies extensively on LiveConnect for encrypting/decrypting email and attachments.

i use hushmail, and it has a human authenticator system...

any user not on my allow list is sent an email to validate they are a person (it sends them to a link and they have to click on a moving icon in a picture)...

if they do this, their email automatically goes to my inbox, otherwise it gets grouped with the spam...

it actually works pretty well...

a system like this combined with an opt-in system would work pretty well, i think...

Hushmail uses a Java applet to encrypt mail - maybe you could get your grandmother to use that. There are other Java crypto implementations, such as Cryptix. Packaging one as an applet shouldn't be too hard.

I use Hotmail myself, but I've used Hushmail in the past.

I think Hushmail is using some wierdo sun.* encryption library that hasn't so far been included with Apple's Java libraries. Have they fixed this? It sucks having to check my Hushmail account at work...

Are there any really good free web based email clients out there that you can suggest where this thing might not be an issue, what do you use ?????

I use Hushmail.

or you could just get a free 2048-bit encrypted account at hushmail.com

Actually, AIM already had this since last year, for corporate users. Also, the Hushmail has been doing this for a while now too.

So, it would seem that we need a peer-to-peer service that is built with the following attributes:

-completely anonymous users, file transfers, hosts, etc.
-reliable and stable structure
-decentralized topology
-efficient data management
-and complete deniability (I didn't host that file, or I didn't download that file, as member's cant control content on the network)

We do. We have several.
- FreeNet, and similar projects (Publius, FreeHaven) for distributing anonymous files
- The Invisible IRC Project for anonymous, deniable instant messaging
- InvisiBlog for blogging
- MixMaster and Hushmail for email
- Anonymizer and Peek-a-booty for browsing

Anyone care to add to this list? I've only put the ones that immediately spring to mind, but I know there are more distributed anonymous deniable chaffed encrypted file-share programs that I've not tried.

"Then you take one of these and put it over the border in Mexico at your friends house acroos the other side of the border. Who can press charges? Any answers anyone?"

Howabout we just put all of our hard drives in Mexico? Or Canada. Or the British West Indies.

Hushmail has a challenge/response mechanism for quite a while now. And it works remarkably well ...

I thought so too, but for whatever reason, I don't think I have ever received much, if any spam from the address on my keys. Also I have certainly never received a single spam that was OpenPGP signed. I was thinking about requiring all incoming messages to be pgp signed, or else they get smtp bounced. I could include a link to hushmail or a faq about OpenPGP... What do you all think?

Disclaimer: I am biased because I have a college account. Of the past 547 emails I have received, none of them have been spam. Before that I had a Hotmail account (mike_hamburg at hotmail dot com), which is still open (although I don't check it often), but it receives only about 2 spams a week. Please restrain yourselves from selling me to a list out of spite.

The article is wrong. Spam is a big problem, but it will not "end email as we know it." There are plenty of ways to curb the problem that have not been implemented yet.

The best suggestion that I have seen to curb spam, although it would be hard to implement and people would bitch about it, would be to have a payment based system. Everyone has a contact list of people who can send them mail for free. If you're not on that list, you have to pay a penny to send a message. Since the profit margin on spam is less than a penny per message, no more spam, or at least not much. Hard to implement, but it would work.

Other than that, there's Hash Cash, which could be combined with the above system, to increase the computational load of spamming. Easier to implement, and to get people to switch to, could reduce spam, not a cure-all.

Encryption and digital signatures would be a useful technique too. Require all mail in your inbox to be encrypted with a Diffie key would help, as Diffie encryption is much harder than decryption. This would also increase privacy, although changing the protocol to prevent traffic analysis would be a bitch to get off the ground (although you can get something like this already at Hushmail).

Bayesian spam filtering or other advanced techniques might also help to curb the problem, but they are a bit like a band-aid on a bullet wound. The article is at least right in that spam filters are not the solution.