Hushmail and DEA have an "MLAT" ("Mutual Legal Assistance Treaty")??? Wow. -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF What religion, please tell me, tells you as a follower of that religion to occupy another country and kill its people? Please tell me. Does Christianity tell its followers to do that? Judaism, for that matter? Islam, for that matter? What prophet tells you to send 160,000 troops to another country, kill men, women, and children? You just can't wear your religion on your sleeve or just go to church. You should be truthfully religious. Mahmoud Ahmadinejad ---------- Forwarded message ---------- Date: Mon, 5 Nov 2007 00:01:41 -0600 From: travis+ml-cryptography@subspacefield.org To: auto37159@hushmail.com Cc: cryptography@metzdowd.com Subject: Re: Hushmail in U.S. v. Tyler Stumbo On Tue, Oct 30, 2007 at 12:27:53PM -0400, auto37159@hushmail.com wrote:
I stumbled across this filing: http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p rod_affiliate.25.pdf
I probably shouldn't say anything about this, but whoever made this PDF failed to properly redact the personal information in #10, just like the NYT failed to do with the names of the people who helped the US in Iran. I can simply switch desktops and see the numbers underneath before the rectangles are drawn over them (possibly on another layer). Actually the box on #14 seems to work, possibly because it is larger, or was done differently.
What I found interesting was: 1. The amount of data which Hushmail was required to turn over to the US DEA relating to 3 email addresses. 3 + 9 = 12 CDs What kind of and for what length of time does Hushmail store logs?
You would think that they would store the minimum or none, so that they didn't have to answer such requests. In the US, companies can require compensation for resources spent filling these requests, but many do not for fear of increased scrutiny by law enforcement. I have been around when my department at a Usenet server had to fill these kinds of requests on posts from people selling GHB or something like that. They pretty much write their subpoenas as wide as possible, pretty much "any record you have about..." and then they give you every relevant piece of identifying information they have. I think you have to swear under penalty that you got them everything. Sorry bro.... IIRC, there were laws passed in Europe dictating minimum retention times for ISPs and such. They may have been passed in Canada and the US as well. I guess the legal theory is that when a business offers services to the public they give up some rights over private property. Probably they did the minimum work to comply, which means that the CDs are either mostly empty, or full of unrelated data.
2. That items #5 and #15 indicated that the _contents_ of emails between several Hushmail accounts were "reviewed".
Yep.
3. The request was submitted to the ISP for IP addresses related to a specific hushmail address (#9). How would the ISP be able to link a specific email address to an IP when Hushmail uses SSL/TLS for both web and POP3/IMAP interfaces?
It appears he used IP addresses gathered from #4.
Since email between hushmail accounts is generally PGPed. (That is the point, right?) And the MLAT was used to establish probable cause, I assume that the passphrases were not squeezed out of the plaintiff. How did the contents get divulged?
My guess is that Hushmail has had subpoenas before and had to develop and install a modified java applet which captures the passphrase when the user enters it. With that and the stored keys, it can decrypt all the stored communications. If that's true, I wouldn't expect them to trumpet it, since it would mostly negate their value proposition. -- Life would be so much easier if it was open-source. <URL:http://www.subspacefield.org/~travis/> Eff the ineffable! For a good time on my UBE blacklist, email john@subspacefield.org.