Encrypted Email and Online File Storage - Cryptoheaven

Adam: Kurzawa writes: "CryptoHeaven is a new online service offering secure services: secure free mail, secure file sharing, distribution and storage secure instant messaging, secure discussion lists, automatic key and contact management, no third party key holder, all services integrated into one user interface, accessible anywhere, anytime CryptoHeaven uses the AES symmetric cipher Rijndael with 256 bit symmetric key, public-key cryptography with 2048-4096 bit asymmetric keys (user selectable) and SHA-256 message digest function. Free and premium accounts are available. Source code is available for download free of charge."

Hmm, but who would use it?

[pwagland]

I am not sure at what market this is aimed.

It has all of the facilities to do "access from anywhere" computing, except to do that, you have to store your private key on the server (or at least be able to get access to it from anywhere).

If the private key is on the server, then the system is potentially compromisable, and it would appear to lose the it's main selling point.

OK, fine, then don't store your private key on the server. But that means that you are restricted as to where you view the data from, or you must have some means of transporting the private key. But if you are going to restrict yourself to this, then why not just store the secure data on this secure machine? So that appears to be another class of people eliminated...

OK, so then, who is left. I can see how people would like to use this as an anomyous service, but to do that, you have to leave the private keys on the server, otherwise they can pin the account to you. But, this seems inherently dangerous, since one can sniff the password from the server, decrypt your private key, and use/abus your account.

So again I ask, what are the target demographics here? As far as I can tell it is not the security conscious, and it is not the truly paranoid. So who?

Re:Hmm, but who would use it?

[imrdkl]

It has all of the facilities to do "access from anywhere" computing, except to do that, you have to store your private key on the server (or at least be able to get access to it from anywhere).

I dont think so. The key is created on the client side using Java crypto. Uploading the private key to the server is optional. The only thing you need to access the service thereafter is the jarfiles which make the UI, and a JDK 1.3 RT. You can carry your key around with you on a self-destructable (10 seconds, Jim...) floppy, if you're really concerned about access from anywhere.

Re: Hmm, but who would use it?

If you want to use CryptoHeaven as a mobile user with a laptop, you do not need to store the encrypted private key on the server. This option is necessary for people that will be accessing their accounts from some one elses computer where the private key is not available.
Even when the key resides on the server, it is well encrypted using Rijndael(256) with a hash of your passphrase. When the strength of your passphrase is high, the risk is low.
You could take your key file (encrypted) with you on a floppy, and access your account from another location. The key file is small, but the account may hold many megabytes of data in it.
Server does not store your passphrase, or its hash, your passphrase is not stored or sent anywhere. It is only used to encrypt/decrypt your private key on your local computer. If you forget your passphrase, CryptoHeaven cannot recover your data.

Re:Hmm, but who would use it?

[DaveHowe]

The base model seems to be the same as Hushmails (with the one exception of an option to store the key locally; hushmail doesn't have that)

at least at first glance, it looks good - actual encryption model is very pgplike, with public keys protecting session keys protecting messages via symmetric encryption; however, even Hushmail has realised that OpenPGP compatability is the way to go, and has set up a site to allow PGP users to import their DH public keys to Hushmail (for use by hushmail users) and export their hushmail keys for upload to keyservers.

With the inclusion of file storage into the pot, it looks like an attempt to take the Hushmail business model and run with it - but unless they move towards OpenPGP compatiability, they will almost certainly lose the interoperability war, and with it a lot of potential users.

Re:Hmm, but who would use it?

[BitterOak]

Can't the private key be encrypted with a passphrase before storing it on the server?

Then, when you wish to log in, the encrypted private key is downloaded into the client and decrypted with the passphrase. Thus the folks that run the server never see the private key.

I'm not sure if that's the way Cryptohaven works, but many other services use this model.

Re:Hmm, but who would use it?

I had a brief look at the code, and indeed that's how it works. The private key is encrypted locally and then send to the server.

This is a secure way of doing things, you just have to make sure your password is long and impossible to guess.

Re:Hmm, but who would use it?

[Kris_J]

or you must have some means of transporting the private key.

I keep a copy of my PGP key rings on the MMC card that I use in my portable MP3 player. Alternatively I could store it on my Palm/TRGpro. For a while the Swatch Access watches with their RF contactless smartcard technology looked promising, but I don't think the reader/writer mousepad was ever released. There are many ways to transport tiny amounts of digital data.

Re:Hmm, but who would use it?

[MrFredBloggs]

Cracking a passphrase is trivial.

Wait, this can't be..

[redhotchil]

A subscription service, so, you mean, an opensource company... making money? Blasphemy!

Cryptanalyse this!!!

[The+WIPO+Troll]

THE OFFICIAL TACO-SNOTTING FAQ
By The WIPO Troll, $Revision: 1.11 $

Why have I been receiving emails from CmdrTaco, in which he seems to be speaking in some kind of code language?

Whenever Rob "CmdrTaco" Malda gets bored (and who wouldn't, running a site like Slashdot all day), he roams through the Slashdot database, penis in hand, looking for people who might enjoy engaging in homosexual orgies with him. How he determines this is anyone's guess; but if you have a homosexual-sounding nickname, or a nick with the letter P in it, you're in trouble.

So this time, he found you. Lucky you.

CmdrTaco's code language is relatively easy to decipher. He prefers to speak in thinly-veiled sexual innuendo to evade the watchful (but relatively stupid) eye of Slashdot's parent corporation, VA Software. CmdrTaco's "Commander" is, of course, his penis -- a small, withered little thing that lives in his pants that only comes out in the presence of other men or at the beck and call of CmdrTaco's own right hand. His "Taco bells" are the shriveled testes that droop beneath his Commander, and his "Taco sauce" is his, well, jizz. It should be more than obvious to you now what he means when he asks you to "ring his Taco bells" or "taste his gourmet Taco sauce."

Lastly, there is a practice he refers to as "Taco-snotting" and the more shocking "circle-snot."

Good Lord. What is "Taco-snotting?"

"Taco-snotting" is the term used by CmdrTaco to refer to the practice of sucking the penis of a homosexual man (or unwilling heterosexual; CmdrTaco is rumored to prefer rape), then blowing the semen out his nose onto his partner's (victim's) face and body. A long, bubbly stream of milky-white semen is left on CmdrTaco's face, dribbling out of his nose and down his cheek: hence the term, "Taco-snotting."

A "circle-snot" is a Taco-snotting circle-jerk, another practice common among the Slashdot crew. CmdrTaco, CowboiKneel, and Homos get together and Taco-snot each other with their gooey, sticky cum -- spooging their jizz-snot all over each other's faces and pasty, white bodies, until they're covered head to toe with each other's man juice. This can go on for hours. For the homosexual penetration that follows this lengthy foreplay, Roblowme is usually there to provide plenty of anal lubricant; he owns a limo service and has ample supplies of motor oil and axle grease ready to go.

To complete this perverted orgy, fellow geeks Michael, Timothy, and Jamie will usually join in, dressed in tight leather mock-S.S. uniforms, jack boots, and leather gloves. The whole group then proceeds to snot each other's spunk and whip each other's pudgy asses with riding crops and chains until their pale, white geek bodies are exhausted and soaked in stinking sweat from the hours of passionate, homosexual revelry.

Ewwwwww. So, can I stop receiving these emails?

Hopefully.

You most likely forgot to uncheck the "Willing to Taco-snot" checkbox in your account preferences. CmdrTaco has probably already got the hots for your wad, and he's probably already been lurking outside your bathroom window for weeks with a camera, some tissues and lube. There's no escaping a geek in heat, so it's probably too late for you, but you can possibly rectify this situation. To remove yourself from CmdrTaco's sights, log into your Slashdot account, go to your user page, click on Messages, and uncheck the box next to "Willing to Taco-snot." Maybe he'll ignore you. Probably not.

I can't stop receiving these emails from CmdrTaco!?

If you indulge him in a Taco-snot or two, he might leave you alone. You might also want to look into mail filtering, restraining orders, or purchasing a heavy, blunt object capable of warding off rampaging homosexual geeks in heat. Trust me, when they charge... oh, the humanity. If he gets you, and you let him Taco-snot you, you will most likely end up tied up in his basement to be used as his sex slave for the rest of your life (or until he accidentally drowns you in spunk in a circle-snot).

Have you ever been Taco-Snotted?

Unfortunately, yes. I first met CmdrTaco at an Open Source Convention. He invited me back to his room for a game of Quake and some "gourmet Tacos," but when I got there, he jumped me and tied me to his bed, stripping me. After taking his "Commander" out of his pants, Mr. Taco made me suck the withered thing six times. He then performed his vile Taco-snotting ritual on me three times over the next two hours, bringing me to orgasm after sweaty, mind-numbing orgasm... then he snotted my own milky-white jizz back onto my face, into my mouth, then again on my exposed belly.

CmdrTaco invited several of his Open Source (or rather, "Open Sauce" -- man sauce) buddies over to continue the twisted snotfest. Linux Torvalds raped my ass with his "monolithic kernel," and Anal Cox used his "network stack" in a multitude of unspeakable ways on and in every orifice in my defenseless body. Michael was there in his leather Nazi uniform, caning my ass with a bamboo pole and ranting about "all those Censorware freaks out to get him."

How did you finally escape, you ask? After about 16 hours of countless homosexual atrocities perpetrated against my restrained body, they all finally went to sleep on top of me, sweat-soaked and exhausted. I was left there, covered in bubbly, translucent jizz-snot, chained to the bed, with half a dozen fat, pasty-white fags lying around and on top of me. Fortunately the spooge coating my flesh worked wonderfully as a lubricant; I was able to squirm my way out of the handcuffs and slip out the back door. I'm just glad I survived the ordeal. These geeks had a lot of built-up spunk in their wads -- I could've easily been drowned!

That's horrible. Does "Taco-snotting" have anything to do with CmdrTaco's "special taco"?

No, that's a different disgusting perversion CmdrTaco indulges himself in. CmdrTaco is usually not satisfied with merely snotting your own jizz back onto your face, he most often enjoys involving his own bodily fluids in his twisted games. WeatherTroll has spent some time trying to educate the Slashdot readership about this vile practice (emphasis added):

You may be wondering what CmdrTaco's "special taco" is. You will be wishing that you hadn't been wondering after you finish reading this post. To make his "special taco", CmdrTaco takes a taco shell and shits on it. He then adds lettuce, jacks off on the taco, and adds a compound to make the person who eats the taco unconscious. Of course, the compound does not make the person unconscious until the taco is fully eaten. Thus CmdrTaco force-feeds the taco to the unsuspecting victim.

After the victim is unconscious, he is held against his will and used for CmdrTaco's nefarious sexual purposes. This includes shoving taco shells up the victim's ass, Taco-snotting, and getting Jon Katz involved.

Completely different, yet no less revolting. It should be clear to you now that CmdrTaco is a very, very sick individual, as are most of the Slashdot editors.

Does Jon Katz get involved in any of this? I thought he was a paedophile, not a homosexual.

Actually, Jon Katz is a homosexual paedophile. He's also a coprophiliac, and, many suspect, a zoophile. Jon Katz is somewhat of a loner and doesn't involve himself in circle-snots. Mr. Katz usually engages in a game called " Katz juicy-douching" with his harem of little-boy slaves: a vile practice which involves administering an enema to himself of the little boy's urine (forced out of them with a pair of pliers), spooging the vile muck from his ass back into the enema bag, then squirting and slathering the goo all over himself, and the little boy's chained-up and naked bodies. If he's in the mood, he will sometimes skip refilling the enema bag and just squirt it from his ass onto his boys. Unwilling boys are further tortured with the pliers until they comply and allow Mr. Katz to juicy-douche them for the rest of their lives.

As I already said, Mr. Katz is also a zoophile. As if the sexual escapades with the helpless little boys aren't enough, Jon usually enjoys his juicy-douches best when his penis is firmly planted in a female goat's anus. He is also rumoured to get off on watching his little boys eat the goat's small, bean-like turds.

...Are you getting hard writing this?

Why, yes. :) Join me in a WIPO-snot?

No, thanks. I'm already CmdrTaco's boi toi.

________________________________________
READER COMMENTS

1. Re:The Taco-Snotting FAQ Rides Again!! (Updated so (Score:0)
   by Anonymous Coward on 2001.11.25 9:14 (#2609574)
   
   try to find a pic of actual "taco-snotting"! fucking funny it would be! so go to gay porn sites day in and day out until you find a man giving another man a blowjob that has jizz coming out of his nose and mouth. by the way, keep up the good work

2. Re:Snotting another first!! (Score:0)
   by Anonymous Coward on 2001.11.23 12:18 (#2603370)
   
   WIPO, this is getting waaaay old, either drop it or revise it.... there've been no updates for days now...
   
   CmdrTaco

3. Re:It's Taco SPAM!!! (Score:0)
   by Anonymous Coward on 2001.11.22 17:28 (#2600815)
   
   A truly excellent and very humourous troll indeed!
   However...
   
   To complete this perverted orgy, fellow geeks Michael, Timothy, and Jamie often join in, dressed in black Gestapo uniforms, jack boots, and leather gloves.
   
   Black GeStaPo uniforms? The GeStaPo (Geheime Staatspolizei - Secret State Police) wore civilian clothes (although there are reports on them occasionally using Allgemeine SS uniforms in occupied territories).
   
   I seriously doubt that perverted individuals like CmdrTaco et al would have the good taste to ever wear the outstandingly beautiful black Waffen SS uniforms! Please update the FAQ accordingly.
   • Re:It's Taco SPAM!!! (Score:0)
     by Anonymous Coward on 2001.11.23 4:06 (#2602610)
     
     Actually, it appears you are both wrong!! Ah ha!! I think our boy WIPO was thinking of the Allgemeine SS uniforms. Waffen SS were grey.

4. Re:Microsoft's Taco-Snotting Connection (Score:-1, Troll)
   by Anonymous Coward on 2001.11.21 4:49 (#2594325)
   
   oh yeah, you say you have masturbated only 2 times to this post. well, by the time it takes for me to get through reading it, i usually end up masturbated 5 to 6 times, 10 to 12 if i have the goatse.cx homepage loaded up and am looking at it side by side with the slashdot page. my keyboard, hands, mouse, monitor, the underside of my desk and around the floor under my desk are cum soaked and sticky with the man smell i know and love.

5. Re:Microsoft's Taco-Snotting Connection (Score:0)
   by Anonymous Coward on 2001.11.21 4:41 (#2594311)
   
   for version 2 you should make a total re-write of the cod...errr...text and add some details about cmdrtaco and the homo-gang's happenings with their coworkers (osdn?) and all of the gay revelry they enjoy and promote. by the way, did i just see cmdrtaco on television promoting the nax hair removal system? i guess after using vaseline in and around his ass he grew quite a ponytail and it had to be removed somehow...ouch!

6. Re:Microsoft's Taco-Snotting Connection (Score:-1, Troll)
   by TRoLLaXoR on 2001.11.21 3:59 (#2594191)
   
   WIPO, do you notice how few comments you get for anything you write/post/spam nowadays?
   
   -Trollaxor

7. Jon-Katz docking (Score:-1)
   by sales_worldwide on 2001.11.20 11:53 (#2588488)
   
   You forgot to mention Jon Katz's "docking" games, where he places his chopper head to head with another chap, and rolls the other guys foreskin over his own circumcised end ("docking"), providing him with fantasies of actually having his own forskin ...
   "Making linux GPL was the best thing I ever did" - Torvalds. I'd hate to see the worst thing...

8. Re:Snotting a first! (Score:-1)
   by Fucky the troll on 2001.11.20 11:28 (#2588446)
   
   Woah! When did the WIPO troll get freed? And how the fuck did I miss it?
   
   Excellent FP, sir.
   
   This is a sig virus. Please put me in your sig

9. Re:Snotting a first! (Score:-1, Troll)
   by Anonymous Coward on 2001.11.20 11:04 (#2588407)
   
   omg that is crapflooding material if i ever saw it!!!!!! and u got a first post!!!! whoot to the wipo troll!!!

10. GW, please.... (Score:0)
    by Anonymous Coward on 2001.11.19 9:03 (#2583756)
    
    GW...you know we love every hair on your 27 acre ass... and I, for one, would never do anything untowards your graceful demeanor. And you probably have several friends that would love to help you do the bear dance all over my face if I so much as spelled your name wrong. And you know I'd defend your Constitutional right to defame God in heaven. I'd even help fund your education, should you ever decide to take that route. Hell, I'd buy you a tall tepid bear-whiz beer if you were here with me, right now!
    
    But. ...if you can't find another topic, I'm gonna step over your dead mother's grave and kick your assuredly anesthetitized butt clear across the playground.
    
    Now go stick your shaved head back down inside the woman's toilet, and just to show there's no hard feelings, I'll jump in the tow-truck and drive right over to help you pull it right out...ok?
    
    thanks

11. Re:Help me Taco-Snotters!! (Score:-1)
    by mark knopfler 69 on 2001.11.19 8:25 (#2583695)
    
    I DO NOT BELIEVE YOU SIR. FOR ONE THING, THE E-MAIL FROM CMDRTACO DOES NOT HAVE ENOUGH GRAMMATICAL AND SPELLING MISTAKES. Let's be realistic here, CmdrTaco usually types with one hand, and since he is shaking from jacking off his aim on the keyboard isn't too good. Those e-mails were a little too well written. Sorry boy, you'll have to do better.

12. Re: What the hell is "taco snotting"? (Score:-1)
    by WeatherTroll on 2001.11.19 8:14 (#2583667)
    
    You should update this to say VA Software instead of VA Linux.

13. YOU ARE WINNER (Score:1)
    by smackmonkey on 2001.11.19 7:06 (#2583510)
    
    Crackhead moderators: this is +5, Hilarious material.
    
    --
    CNN declares War on Islam!
    Left-wing America declares War on its Civil Liberties!

14. Re:On Taco-Snotting 1.9 (Score:0)
    by Anonymous Coward on 2001.11.19 5:40 (#2583336)
    
    This was funny the first 100 times. Now it is getting boring!

15. Digusting and Shameful (Score:-1)
    by egg troll on 2001.11.18 22:27 (#2582054)
    
    Having masturbated *twice* to this post, I'm still incredibly aroused! Come over for a Taco Snot. I'll be wearing my crotchless Clifford the Big Red Dog outfit!!
    
    For more info check out this /. article

16. IMPROVE THE FAQ (Score:-1, Flamebait)
    by Anonymous Coward on 2001.11.18 12:03 (#2580822)
    
    add more links to goatse and to cowboineal's site to make it better. a link to rotten.com would be nice too
    • Re:IMPROVE THE FAQ (Score:0)
      by Anonymous Coward on 2001.11.18 12:18 (#2580832)
      
      and a link to michael's site and to jon katz's site if he has one and homo's site. i dont know what else to say. maybe a few links to phallic.org they have nice penis pictures! a link to the planet quake site or whatever. really make the reader feel this faq really answers their questions. oh yeah, and when you talk about cmdrtaco snotting you, say he brought you to "orgasm after sweaty orgasm". describe it more is all i'm saying. and use more italics and bolding! and when you talk about jon katz shitting or whatever have a link to fecal japan on rotten.com
      
      other wise a great job wipo troll! keep up the good work!

17. Re:CmdrTaco's filthy secret! (Score:-1)
    by Wil Wheaton on 2001.11.18 6:41 (#2580438)
    
    Hi. Let's be buddies.. butt buddies.
    --
    WIL WHEATON DOT NET

18. WIPO speaks the truth (Score:-1)
    by dead_puppy on 2001.11.18 5:33 (#2580342)
    
    Here is an e-mail I received a week ago:
    
    From: malda@slashdot.org
    To: puppy_dead@hotmail.com
    Subject: were where you last friday? :(
    
    I thought we where supposed to meet at Backdoor's at 8-ish, sugar-lips? You could've at least told me that you could'nt make it! I was even in my favorite pink skirt for you, honey-cup... next time, you could be more considarite and tell me you cant come... bastard.
    
    --
    CmdrTaco (malda@slashdot.org)
    
    You finding Ling-Ling's head?

19. Taco snotting is WRONG!!! (Score:-1)
    by Big_Ass_Spork on 2001.11.18 4:53 (#2580300)
    
    I do it wrong
    
    Laying here in the shadows of my room, I squint up at my love. My Ms. Portman. I am sore and tired after fucking her for eight solid hours. My chapped and aching dick is soaking in grits to relieve the pain. She gets on her knees and starts lapping the grits up out of the bowl. She places her beautiful hands on my penis and starts to lick the grits off my achy piece.
    
    Massaging my nutsack she....
    
    WAIT, I DO IT WRONG!!!!
    
    Yanking my dick out of her mouth I throw her to the ground and shove it in to her gaping freshly fisted ass. [goatse.cx]
    
    "OH BIG ASS SPORK!! Fuck my ass, fuck my ass good. DEEPER, my stallion, deeper!! Make a Beowulf cluster of sperm on my back!!"
    
    "Imagine a Beowulf cluster of this baby!"
    
    I DO IT WRONG!!!!
    
    ---
    All your Sporks are belong to Big_Ass_Spork! What you say?! All your Sporks are belo... forget it...

20. Rob Malda Dead at age 25! (Score:-1)
    by j0nkatz on 2001.11.17 22:54 (#2579596)
    
    I just heard some sad news on the radio -- famous queerbait Rob Malda was found dead in his Holland home this morning. The details were a bit hazy, but it seems that he drowned in jizz while Taco Snotting his friend Hemos. I'm sure everyone in the /. community will miss him -- even if you didn't enjoy his queer antics and boring ass website, there's no denying his contributions to the homosesual cultural development, particularly in the areas of Taco snotting. Truly an American icon.
    
    I wanna Open Source sex so it won't be worth a shit either.

21. TACO-SNOTTING is really Donkey-Punching (Score:-1, Troll)
    by Anonymous Coward on 2001.11.15 6:38 (#2567601)
    
    No no no, the correct term for that is "donkey-punch". I have eye-witnessed this amazing eye-popping event demonstrated on unsuspecting hose-monsters by my frat brothers in the past.. . :-)

22. Re:the effect of knowlege laws... (Score:1)
    by AbsoluteRelativity on 2001.11.15 5:31 (#2567457)
    
    The WIPO Troll
    Slashdot and the Karma Lottery - News for uber monkeys, by uber monkeys.

23. Re:Taco-Snotting (Score:-1, Troll)
    by Anonymous Coward on 2001.11.13 9:27 (#2557632)
    
    Oh, man that's just sick !

24. HOW DO I GET AN ANONYMOUS PROXY? (Score:-1, Troll)
    by Anonymous Coward on 2001.11.13 9:03 (#2557604)
    
    TELL ME WHERE I CAN GET AN ANONYMOUS proxy please WIPO Troll. Maybe later i will join you in a snotting at my place. ;P

25. Re:Taco-Snottage!?!?!? (Score:-1, Offtopic)
    by vikool on 2001.11.13 7:43 (#2557495)
    
    what is this bull shit,i feel offened that some people feel so so senseless to post stuff like these esp when such a tragic incident has occured

26. Re:Taco-felching!! (Score:-1)
    by I.T.R.A.R.K. on 2001.11.11 22:38 (#2551890)
    
    Where the fuck do I sign up?!
    
    - I throw rocks at retarded kids
    
    "Adequacy.org: Where congenital stupidity is not an option, but a requirement."

27. Re:Taco-felching!! (Score:-1, Troll)
    by Anonymous Coward on 2001.11.11 21:53 (#2551753)
    
    this shit is hilarious..keep up the good work.

28. Re:Taco-felching!! (Score:-1, Offtopic)
    by rockwood on 2001.11.11 21:49 (#2551746)
    
    OMG! That is the most disgusting thing I have ever heard! WHo in their right mind would sit down and waste the time to construct such a replusive story. I guess I'll be skipping lunch and dinner today.. and possibly tomorrow also. The game doesn't affect reality. Reality affects the game.

29. Re:Ban this! It's disgusting!! (Score:0)
    by Anonymous Coward on 2001.11.11 14:43 (#2550701)
    
    dude, this is crap-flood material if i ever saw it.
    duuuuuuuuudddddddddddddeeeeeeeee.

30. Re:Taco-Snotting = HATE SPEECH (Score:-1, Flamebait)
    by Anonymous Coward on 2001.11.11 8:16 (#2550266)
    
    horny_rob_6969@hotmail.com
    
    Ah, so that's what the alt.binaries.pictures.erotica.horny-rob newsgroup is about!

31. MOD THIS UP PLEASE!!! (Score:-1)
    by egg troll on 2001.11.11 5:34 (#2550024)
    
    +5, Arousing
    
    For more info check out this /. article

32. Re:Taco-Snotting = HATE SPEECH (Score:-1, Offtopic)
    by Anonymous Coward on 2001.11.11 4:39 (#2549891)
    
    WINNER>

33. Re:Taco-Snotting = HATE SPEECH (Score:-1, Offtopic)
    by Anonymous Coward on 2001.11.11 4:37 (#2549887)
    
    I love you. Why do you use your bitchslapped account, rather than signing up for a new account to post at +1 before getting bitchslapped by the censors here? I guess I should speak for myself, but I don't want to log out and lose all my slashdot customization properties, nor do I want to lose my 50 karma yet.

34. Re:On Taco-Snotting (Score:0)
    by Anonymous Coward on 2001.11.09 9:19 (#2542412)
    
    you fucking rock! right down to the expanded cvs id!
    
    WIPO trolls > linux

________________________________________

• The URL of this document is http://slashdot.org/journal.pl? op=display &uid=267426 &id=2346.
• Previous revisions are maintained at http://slashdot.org/journal.pl? op=display &uid=308209.

$Id: tacosnotting.html,v 1.11 2001/11/25 15:40:22 wipo Exp $

Third Party Key Holder

[ehikory]

"...no third party key holder..."

Actually, according to the web page, they do offer to act as the third party keyholder:

"The private portion of the key is encrypted with user's pass-code and stored on the local computer or sent to the server at user's choice."

If the private key is not sent to the server, then what is the benefit over any other service that allows remote email & storage (assuming others actually send emcrypted email and the user stores encrypted files)?

Now, because their service agreement requires users not to store any illegal material, users cannot really store anything that is dangerous to governments. I don't know the details of Canadian law enough, but I would suspect that the RCMP (or other appropriate agency) would be able to collect
the secret key and therefore decrypted data if they really wanted. Can someone tell me otherwise?

Re:Third Party Key Holder

Since the private key is not stored anywhere in its plain form, and neither is the passphrase, there is no way to recover the access codes to someones account except to ask the account owner or record his key strokes in some way. The passphrase never leaves your computer. CryptoHeaven does not act as a key holder in the sense that your key is not legible because it is encrypted with a hash of your passphrase.
If you are concerned about the strength of your passphrase, store your key locally.

Canadian Crypto service

[imrdkl]

The service and the product seem to be located and developed in Canada. I note that Canada is not a party to the CyberCrime Treaty which was discussed earlier.

Perhaps this is worth further investigation...

The user interface is written in Java, and requires a 1.3 or higher runtime installed. The Windows installer has an optional 1.3 runtime included. By virtue of the Java client-side implementation, your private key is never sent, or seen by the server unless you choose to upload it in encrypted form. If you do decide to upload your private key, thereafter you rely only on SSL, presumably, to protect the password for your encrypted private key stored remotely.

It's been awhile since I looked at Java's crypto. The 1.2 stuff was pretty lame, especially the keystore. But this implementation does at least seem to use RSA keys for Java, which means that the container may be better too.

I dunno if I'd ever advise anyone to allow their keys to be stored on the server, no matter how many reassurances they get. However, for someone who simply wishes to share private mail with someone else, it might be nice.

Things that remain unclear to me are:
1. Can encrypted mail be sent to someone who does not have an account, using a ordinary PGP public key, for example?
2. What protocol does the service use? Is it standard SMTP? (possibly with verification)
3. Where does the encryption/signing of the delivered email actually occur? Presumably always on the client. 4. The Service Agreement seems pretty, uh, tight. If you displease them in any way, all your rights, including access to your existing mail, is cutoff.

Anyone actually using this service?

Re:Canadian Crypto service

[DaveHowe]

I dunno if I'd ever advise anyone to allow their keys to be stored on the server, no matter how many reassurances they get. However, for someone who simply wishes to share private mail with someone else, it might be nice.
not entirely a bad thing - the security of the PGP secret keyring does not require secrecy of the file - if you really want it, I will mail you a copy - but *does* require that the key be encrypted and that a good, unguessable passphrase be used.

Re:Canadian Crypto service

[leto]

Wrong: reread the cybercrime URL you posted:

Canada, Japan, South Africa and the United States, who took part in the drafting, also signed the treaty today.

So, this means they (or at least their goverment) promises to help do key escrow etc. So the government will ask the key from cryptoheaven if they have it. There is no point in giving them they key at all. They cannot secure it. In fact, they should refuse all keys for this very reason.

Re:Canadian Crypto service

[imrdkl]

Thanks for pointing that out.

I shoulda used grep(1). Funny thing is, there was a thread in the discussion about the treaty, which give me the impression that Canada wasn't going along with it (the treaty). Something about pirating DirectTV signal, if I remember. Anyways, a good point was also made that, as long as the private key is encrypted, it's maybe ok to upload. But then you gotta trust SSL and the server-side actions. Better to keep your keys in your pocket, imho.

Re:Canadian Crypto service

From the review of the source code, it appears that the key is first encrypted using your passpharase, and then sent to the server (if you choose to do so). So, even if the goverment somehow got a hold of the key, they would still have to crack the encryption protecting it.

So, just like any passwords, you better make sure you choose an unguessabe passphrase. Cryptoheaven enforces the use of strong - at least 12 characters long passwords with some numbers and punctuation marks. To me, this is pretty secure. But hey, if you are really concerned, don't store your keys on the server, just carry it with you on a floppy, or any one of the new (very cool) USB flash storage devices. Either way, the key is still encrypted and you need your passphrase.

Re:Canadian Crypto service

The system does not allow sending encrypted mail to anyone outside the CryptoHeaven network. All users participating must have CryptoHeaven accounts, maybe this will change in the future, we'll see.

The client software performs all the encryption and decryption. Server acts as a place holder and remote storage for encrypted data. As long as you trust your own platform and you have a strong enough passphrase you need not worry about anyone decrypting your communications.

The private key (if optionally stored on the server) is also encrypted (Rijndael-256) with an SHA256 hash of your passphrase (plus salt) so it should be illegible to anyone should someone manage to steel it.

The Service Agreement is their legal disclaimer. One cannot operate a crypto remote storage service without one.

Re:Canadian Crypto service

[imrdkl]

But, if the key is saved on the server, doesn't this imply that the server also offers the encryption and decryption functionality? If so, then the password has to be sent to the server to decrypt the key.

Perhaps the encrypted key is given to the client again for each session? Does enc/dec only occur on the client? This was one of my questions. Perhaps you can grok that from the source?

Re:Canadian Crypto service

[imrdkl]

ah. ok. Forget my previous question then. thanks, mr. C!

Re:Canadian Crypto service

Your personal passphrase never leaves your computer, it is not stored or sent anywhere.

When the client connects to the server, server sends the encrypted private key to the client (or not if it is stored locally) and the decryption of the key takes place on the client. It is decrypted using the hash of the password which no one else knows but you.

On top of this, the entire session between the client and server is additionally encrypted with short term session keys.

Neal Stephenson day?

[spood]

What's going on? Did the ./ editors just pick up a copy of Cryptonomicon today? First a story on Van Eck Phreaking, now the Crypt?

CryptoHeaven looks solid

This is a client-server application with the server running at the Secure Data Center. A direct connection to the Internet is required.

From what i gather, the product targets individuals in need of security and privacy working together in small groups. Software includes features like instant messaging, chat, and file sharing. Unique feature is an ability to securely share data folders between groups of people combined with remote storage.

The source code is freely downloadable for anyone that cares to verify the claims. Asymmetric crypto is based on RSA and for a symmetric cipher, it uses Rijndael. Freely available source is very reassuring, it looks like it was released in hope that it would be put to the test by the cryptographic community. The crypto looks very strong and has multiple levels of encryption and hierarchies. I suppose when enough people review it, the software should gain broader popularity.

It does have some features over and above a person-to-person pgp email (or hushmail, or ziplip). It is meant to be a much more user friendly environment for data exchange within trusted groups, without sacrificing security.

Encrypted email? Use PGP.

[sketerpot]

Why are these people offering encrypted email? You can easily do it yourself with PGP. Just get PGP For windows or unix here or look for the C-KT build for windows only (but with a nice GUI).

Register your address on a keyserver, get a good email client, and off you go!

Re:Encrypted email? Use PGP.

[Kris_J]

You're right -- the problem with encrypted email isn't about a lack of services, it's the fact that it's hard to convince anyone else to use it.

Re:Encrypted email? Use PGP.

[Jennny]

Well, I think the main functionality of this is not only encrypted email but ability to share folders with files with your contacts.

how would they know what I'm using the service 4?

[kipple]

from the License Agreement:

"You hereby agree to not use the Service to:

1. transmit or store any Content that is unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable
2. defame, abuse, harass, stalk, threaten or otherwise violate the legal rights of others;
3. harm minors in any way;
4. impersonate any person or entity, or falsely state or otherwise misrepresent your affiliation with a person or entity;
5. email or otherwise transmit any Content that you do not have a right to transmit under any applicable law or under contractual or fiduciary relationships (such as inside information, proprietary and confidential information learned or disclosed as part of employment relationships or under nondisclosure agreements);
6. post, email or otherwise transmit any Content that infringes any patent, trademark, trade secret, copyright or other proprietary rights of any party;
7. upload, post, email or otherwise transmit any unsolicited or unauthorized advertising, promotional materials, "junk mail," "spam," "chain letters," "pyramid schemes," or any other form of solicitation;
8. upload, post, email or otherwise transmit any material that contains software viruses, trojan horses, worms, time bombs, or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment;
9. interfere with or disrupt the Service or servers or networks connected to the Service, or disobey any requirements, procedures, policies or regulations of networks connected to the Service;
10. intentionally or unintentionally violate any applicable local, state, national or international law;
11. harvest or otherwise collect information about others, including email addresses, without their consent"

...how would they know what I'm sending, if it's encrypted? Or was that just for law purposes?

Re:Maybe it's like Hushmail

Hushmail stores the private key on the server, but always encrypted with the passphrase, so your security is as strong as the passphrase. When the private key is needed, it is sent encrypted (and over secure channel) to the Java client, which decrypts it with the passphrase and uses it to decrypt email. Neither the passphrase, nor the plaintext private key, ever travel over the network. (They have a neat trick to prevent attackers from getting your encrypted private key for the purpose of a dictionary attack on the passphrase: The server stores a hash of your passphrase, and will only send the key to the client if the client sends the correct hash. As far as preventing the server operator from running a dictionary attack on your passphrase, you'll either have to trust them, or pick a really good one.)

If I recall, Hushmail has patent pending for the system described above (portable client that computes all encryptions/decryptions, private key and email/etc. stored on server).

Re:how would they know what I'm using the service

They don't know and do not have any way of knowing what you are sending. This is just to cover their asses for the purpose of complying the the applicable laws.

If you read the service agreement you have with your ISP, I am sure you'll see it says something along the same lines.

Re:Maybe it's like Hushmail

The CryptoHeaven is unique in the sense that it does not send the encrypted private key with the hash of the passphrase during the account creating. It does so after the account is created and secure connection already established, but only at the users choice. The encrypted private key does not have to be stored on the server at all, it can be stored in a file on your local computer -- in that sense, CryptoHeaven offers much higher security.

There is a challenge where the user must send the partial hash for authentication, which also originates from the passphrase but is computed independently from the hash (and other sources) which is used to encrypt the private key, in order to retrieve his encrypted private key. This way the encrypted private key is not send to anyone who does not pass this challenge. That only applies if the private key resides on the server.

Ather distinctions to the Hushmail is the generation of the hash where the user name and additional salt plays a role. Certain data and user input are combined together and used to generate a pass-code which is more involved in the process of creating accounts and establishing secure connections later on than passphrase is. For more details regarding the process I would refer to the source code.

not my cup of tea

[8onal]

It would have been wise to mention "Windows only" in the piece.

ZipLip meets my needs quite well for now.

Re:not my cup of tea

Actually, CryptoHeaven runs pretty much on any OS there is.

AES approved

These guy's main cipher was approved today as the next government standard. Inspires some confidence.