For those who missed it: Hushmail is pwnd

[J.A. Terranson]

Hushmail and DEA have an "MLAT" ("Mutual Legal Assistance Treaty")???

Wow.

-- 
Yours,
J.A. Terranson
sysadmin_at_mfn.org
0xBD4A95BF


What religion, please tell me, tells you as a follower of that religion to
occupy another country and kill its people? Please tell me. Does
Christianity tell its followers to do that? Judaism, for that matter?
Islam, for that matter? What prophet tells you to send 160,000 troops to
another country, kill men, women, and children? You just can't wear your
religion on your sleeve or just go to church. You should be truthfully
religious.

Mahmoud Ahmadinejad

---------- Forwarded message ----------
Date: Mon, 5 Nov 2007 00:01:41 -0600
From: travis+ml-cryptography at subspacefield.org
To: auto37159 at hushmail.com
Cc: cryptography at metzdowd.com
Subject: Re: Hushmail in U.S. v. Tyler Stumbo

On Tue, Oct 30, 2007 at 12:27:53PM -0400, auto37159 at hushmail.com wrote:
> I stumbled across this filing:
> http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p
> rod_affiliate.25.pdf

I probably shouldn't say anything about this, but whoever made this
PDF failed to properly redact the personal information in #10, just
like the NYT failed to do with the names of the people who helped the
US in Iran.

I can simply switch desktops and see the numbers underneath before the
rectangles are drawn over them (possibly on another layer).  Actually
the box on #14 seems to work, possibly because it is larger, or was
done differently.

> What I found interesting was:
> 1.  The amount of data which Hushmail was required to turn over to
> the US DEA relating to 3 email addresses.  3 + 9 = 12 CDs  What
> kind of and for what length of time does Hushmail store logs?

You would think that they would store the minimum or none, so that
they didn't have to answer such requests.  In the US, companies can
require compensation for resources spent filling these requests, but
many do not for fear of increased scrutiny by law enforcement.

I have been around when my department at a Usenet server had to fill
these kinds of requests on posts from people selling GHB or something
like that.  They pretty much write their subpoenas as wide as
possible, pretty much "any record you have about..." and then they
give you every relevant piece of identifying information they have.  I
think you have to swear under penalty that you got them everything.
Sorry bro....

IIRC, there were laws passed in Europe dictating minimum retention
times for ISPs and such.  They may have been passed in Canada and the
US as well.  I guess the legal theory is that when a business offers
services to the public they give up some rights over private property.

Probably they did the minimum work to comply, which means that the
CDs are either mostly empty, or full of unrelated data.

> 2.  That items #5 and #15 indicated that the _contents_ of emails
> between several Hushmail accounts were "reviewed".

Yep.

> 3.  The request was submitted to the ISP for IP addresses related
> to a specific hushmail address (#9).  How would the ISP be able to
> link a specific email address to an IP when Hushmail uses SSL/TLS
> for both web and POP3/IMAP interfaces?

It appears he used IP addresses gathered from #4.

> Since email between hushmail accounts is generally PGPed.  (That is
> the point, right?)  And the MLAT was used to establish probable
> cause, I assume that the passphrases were not squeezed out of the
> plaintiff.  How did the contents get divulged?

My guess is that Hushmail has had subpoenas before and had to develop
and install a modified java applet which captures the passphrase when
the user enters it.  With that and the stored keys, it can decrypt all
the stored communications.

If that's true, I wouldn't expect them to trumpet it, since it would
mostly negate their value proposition.
-- 
Life would be so much easier if it was open-source.
<URL:http://www.subspacefield.org/~travis/> Eff the ineffable!
For a good time on my UBE blacklist, email john at subspacefield.org.