Is Hushmail Still Safe?

Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication: "For a long time, Hushmail was considered a very secure email provider until an affidavit (PDF) from a DEA agent in 2007 showed that they had handed over 12 CDs of possibly decrypted data to law enforcement. Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?"

Is Hushmail still safe?

[Naughty+Bob]

The answer depends on how naughty you are.

For the kind of low-level crimes I like to commit, Hushmail is safe as milk.

If you like to blow up American stuff, it's not so safe anymore.

Re:Is Hushmail still safe?

[Ryukotsusei]

What if you're lactose-intolerant?

this has been the case all along

[spune]

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

Re:this has been the case all along

[arcade]

Think our Government doesn't have the capability of decrypting them all,

No.

or more to the point the capability of demanding unencrypted data be handed over?

Well, if you mean by actually torturing you? Well, depends on whether you believe your government does that to americans or not.

If you refuse, you refuse. They then can't get to your data.

Unless you use debian, of course. :-P

Re:this has been the case all along

[legirons]

If you're encrypting email yourself then hushmail is just unnecessary. Use fireGPG with gmail and you've already got better privacy than hushmail (i.e. no need to trust their java applications)

plus you get the entertainment of watching google struggle to choose adverts for your "----BEGIN PGP MESSAGE----" email

Re:this has been the case all along

[lord_sarpedon]

Not if you use https://mail.google.com/ as your login page. Handy trick, but it should be the default.

Re:no encryption that YOU didn't write is safe

[icydog]

And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.

Re:no encryption that YOU didn't write is safe

[LighterShadeOfBlack]

Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded.

I'm sure any major government's capabilities to obtain information are beyond what they are commonly percieved to be, but that does not mean that every encryption scheme is instantly rendered null and void. No one government has control over everyone, so if you think the US government is stifling innovation in America do you also think they're doing the same in Japan, Europe, China, and anywhere else? Or do you think that those governments are all collaborating on this - now that really would be deluded.

If all available encryption mechanisms were crackable then why would governments have gone to to such lengths to try and hinder their development in years gone by - and why would many governments now be trying to attack encryption methods via other means, eg. the recent British law that makes refusal to give up keys to encrypted material punishable by up to 5 years in prison. Why be the bad guy and make those laws if they're unnecessary anyway? I suppose you could claim it's to try and mask their true abilities, or to play up to the anti-terror idiots, but I don't see that as likely.

Jars embed date of creation - More Info Needed

[KrisWithAK]

Any developer that has worked closely with jar (zip) files should have immediately notice a possible issue with this announcement. If you use the jar tool to create a jar archive with its default options, it embeds a new MANIFEST.MF file which has a new creation time; therefore, you will get a different jar checksum even if you are archiving the same exact contents. It would have been simply possible that the Hushmail build process created a new jar file (with identical files) for each type of software distribution that they use. The only way we can be sure is to compare the file list and checksum for each file inside of the jar archives.

The file is obfuscated

[tkinnun0]

The jar-file is obfuscated, bringing its size down to 270KB from 485KB. The source code archive contains a file verification.txt with this text:

For those who wish to verify that the class files downloaded when accessing
Hushmail are genuine, they can be compared against class files compiled from
source using the following tools.

Sun JDK 1.5.0_05 for Windows
Microsoft Java SDK 4.0
Proguard 3.5 (http://proguard.sourceforge.net)

Usage of these tools can be determined from the included Makefile and
proguard.conf. Note that the signing steps in the Makefile cannot be
accomplished, and so the class files must be compared individually. You cannot
compare the entire archive.

The Bouncy Castle Lightweight API Version 1.31
can be downloaded here:

http://www.bouncycastle.org/download/lcrypto-jdk11-131.tar.gz

The archives used by Hushmail are located here:

https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

Please ensure that you are comparing the same versions. Sometimes the release
of source code may lag a few days behind the update of Hushmail.

Questions can be directed here: https://www.hushmail.com/contact

I haven't done this verification, but neither has the cryptome author, so I suspect this is a non-story.

Re:no encryption that YOU didn't write is safe

[thomasw_lrd]

The only problem with being a hardass, is that there is always a bigger hardass out there, willing to prove it to you.

Re:no encryption that YOU didn't write is safe

[DaedalusHKX]

Rules for dealing with government are simple. Do not get involved in their business, do not play their games, do not volunteer anything, do not agree to anything, do not play with them, or for them. Once you do, your ass is theirs. They own you, with your consent at that.

By the same principle, don't fuck around, don't trespass, don't steal, and don't be a crook. Learn the law VERY carefully, keep a copy of Black's Law Dictionary (I think 6th edition is out now) in several different versions. Look up innocent looking terms and verbs in forms. DO NOT consent to anything period. Sign nothing. Be sure you know what is "your name" and what is what someone may call you. Practice your rights. Yes... all of them. A right practiced doesn't need to be infringed, because you already don't have it.

Be very suspicious not of your neighbors but of men in "special" uniforms or funny hats that supposedly give them power over you. Don't let strangers into the house. Homeschool your kids and do a god job, history, law and the local mythology are especially important subjects. Several languages and a good grasp of self defense, tactics and strategy are also quite important. Those with kids who choose to be politically active are extra vulnerable, since kids are the ultimate Achilles Heel.

Never ever trust strangers. Trust people in uniforms even less. Never ever get into a stranger's car, despite what you see in the movies. If they want to talk to you, they can get into yours. If you are confronted by a "friend from high school" and like most average people you can't remember who you met yesterday, nevermind back then, look behind you, you're probably about to get cattle prodded in the back and shoved into a van.

These were simple coping strategies for those who were not average plebeians and who survived the cullings of communism. I lost relatives who were educated, men I could've learned much from. I never met them because they were taught that self defense was for cops and soldiers. And when the king's men were gone, and the cops were coopted to communism... there was nobody to protect the smart, educated, "civilized" (i.e. willingly helpless) men from the cleansings. The ones who weren't "lifted" and sent off to Siberia, were enrolled into a front line regiment and given crap gear and no real training. Very few returned, most scarred for life. All I saw of them while growing up were pictures over mantelpieces. Grandmothers mourning long lost brothers or maimed cousins. That is the fate of the helpless of those who depend on others for their protection...

And what governments are preparing today, the police states being built now, they are so much more insidious, in that they're so much better concealed behind "feel good" intentions and bullshit propaganda about "the good of man". Oh well, fools get what they deserve. There's no stopping it at this point, fools gave up that chance a long time ago. All one can do now is get out of the way and let the Leviathan leap off the cliff with all the fools aboard. Watch the splatter and feel not sorry... they laid their own beds. Trying to save the stupid from their stupidity is what got the world into its sorry state in the first place. The stupid should have been permitted to perish, and Darwin should've been allowed to have his laugh. Instead the stupid were forced to live against their best attempts, so they outbred those who merited survival and to thrive.

Newsletter Time

1 Your high-school girlfriend cheated on you
2 The Government can't be trusted
3 Peer review of published encryption standards is worthless

Fascinating. Are you asserting "1 AND 2 ERGO 3" or "1 ERGO 2 ERGO 3"?

Rubber-hose cryptanalysis

[AmishElvis]

Ha, I found this on Wikipedia, attributed to Marcus J. Ranum -

...the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive)

Re:Rubber-hose cryptanalysis

[mrogers]

That used to be funny before we discovered our governments were actually torturing people. Nowadays I don't find it funny.