[107296] in cryptography@c2.net mail archive
Re: Hushmail in U.S. v. Tyler Stumbo
daemon@ATHENA.MIT.EDU (travis+ml-cryptography@subspacefie)
Mon Nov 5 13:46:09 2007
Date: Mon, 5 Nov 2007 00:01:41 -0600
From: travis+ml-cryptography@subspacefield.org
To: auto37159@hushmail.com
Cc: cryptography@metzdowd.com
Mail-Followup-To: auto37159@hushmail.com, cryptography@metzdowd.com
In-Reply-To: <20071030162753.58F1322840@mailserver5.hushmail.com>
--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Oct 30, 2007 at 12:27:53PM -0400, auto37159@hushmail.com wrote:
> I stumbled across this filing:
> http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.p
> rod_affiliate.25.pdf
I probably shouldn't say anything about this, but whoever made this
PDF failed to properly redact the personal information in #10, just
like the NYT failed to do with the names of the people who helped the
US in Iran.
I can simply switch desktops and see the numbers underneath before the
rectangles are drawn over them (possibly on another layer). Actually
the box on #14 seems to work, possibly because it is larger, or was
done differently.
> What I found interesting was:
> 1. The amount of data which Hushmail was required to turn over to
> the US DEA relating to 3 email addresses. 3 + 9 =3D 12 CDs What
> kind of and for what length of time does Hushmail store logs?
You would think that they would store the minimum or none, so that
they didn't have to answer such requests. In the US, companies can
require compensation for resources spent filling these requests, but
many do not for fear of increased scrutiny by law enforcement.
I have been around when my department at a Usenet server had to fill
these kinds of requests on posts from people selling GHB or something
like that. They pretty much write their subpoenas as wide as
possible, pretty much "any record you have about..." and then they
give you every relevant piece of identifying information they have. I
think you have to swear under penalty that you got them everything.
Sorry bro....
IIRC, there were laws passed in Europe dictating minimum retention
times for ISPs and such. They may have been passed in Canada and the
US as well. I guess the legal theory is that when a business offers
services to the public they give up some rights over private property.
Probably they did the minimum work to comply, which means that the
CDs are either mostly empty, or full of unrelated data.
> 2. That items #5 and #15 indicated that the _contents_ of emails
> between several Hushmail accounts were "reviewed".
Yep.
> 3. The request was submitted to the ISP for IP addresses related
> to a specific hushmail address (#9). How would the ISP be able to
> link a specific email address to an IP when Hushmail uses SSL/TLS
> for both web and POP3/IMAP interfaces?
It appears he used IP addresses gathered from #4.
> Since email between hushmail accounts is generally PGPed. (That is
> the point, right?) And the MLAT was used to establish probable
> cause, I assume that the passphrases were not squeezed out of the
> plaintiff. How did the contents get divulged?
My guess is that Hushmail has had subpoenas before and had to develop
and install a modified java applet which captures the passphrase when
the user enters it. With that and the stored keys, it can decrypt all
the stored communications.
If that's true, I wouldn't expect them to trumpet it, since it would
mostly negate their value proposition.
--=20
Life would be so much easier if it was open-source.
<URL:http://www.subspacefield.org/~travis/> Eff the ineffable!
For a good time on my UBE blacklist, email john@subspacefield.org.
--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (OpenBSD)
iQIVAwUBRy6xxWQVZZEDJt9HAQJCpBAAoD8gUoH/8gHM7NEtGod9dFWLkRTKUJUO
qR89C3aOOCVk6bCDaK/+/yXQqeqptRUPjWx0nEPsC7oloeufA/Ey9cokYNV1LI8H
VKiRUUhA3BgR8jvTVvSFqDCiXpeJODIJ7v/QY8gvTtMOPMX5Duz1NC8gnSE8sJRC
gthFJb2EJMHq9M+AgGvv7L/ItF07avF4pTzdhqvTNkhvvQVW0NvYSpr9Nfx/NM6P
e0JFX7WpCteRqkDD/qM1Mg3B0nylbGGzkgTAk7zOWBbOtemnY138NAMVHqgWXGIB
Vn6PJ2sodtnRPp1uqjOaLZBLQp4R1/x/G8w3ap5PTTpWMttWUhsqMv/sxEY6C0t6
tCXaMPkkE6WdH6f+bCrK27mG1dla4nra1FncVwrLJfJJiBS3k0nZ2dC9kxRb3tyc
OcQz3nmV6A4h1Pz/eGSlGPu9/4Lmq3vJxcPCGA6lWAPl73PSZWl2Evw4EWActcel
qwe49dB1sj4+PxnFMbAO4djxuiO0Rl7IjnsCuAaiRicRH6qbLvxq1RL+3Zs3ALX1
5WKn54G7oeoGXixJ6TLWrRhDPmil5HHxSVFIeD+FVTmTYoZJzFpxabC3O/MS7JEZ
PtGlHP7V3aeY2KBs8nVN7xRfLQsOC/oyCOJzvcbEmf0Mzg3UcgcBLjXUlHPdICCr
L5AZhV31xAI=
=OuSi
-----END PGP SIGNATURE-----
--rwEMma7ioTxnRzrJ--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
