Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Hushmail Still Safe?

Soulskill posted more than 6 years ago | from the possibly-good-protection dept.

Privacy 264

Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication: "For a long time, Hushmail was considered a very secure email provider until an affidavit (PDF) from a DEA agent in 2007 showed that they had handed over 12 CDs of possibly decrypted data to law enforcement. Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?"

cancel ×

264 comments

Sorry! There are no comments related to the filter you selected.

Is Hushmail still safe? (5, Funny)

Naughty Bob (1004174) | more than 6 years ago | (#24456183)

The answer depends on how naughty you are.

For the kind of low-level crimes I like to commit, Hushmail is safe as milk.

If you like to blow up American stuff, it's not so safe anymore.

Re:Is Hushmail still safe? (5, Funny)

Ryukotsusei (1164453) | more than 6 years ago | (#24456537)

What if you're lactose-intolerant?

Re:Is Hushmail still safe? (4, Funny)

Naughty Bob (1004174) | more than 6 years ago | (#24456643)

What's the worst that can happen?....

exactly

Re:Is Hushmail still safe? (-1)

Anonymous Coward | more than 6 years ago | (#24456963)

There is nothing wrong with Hushmail, in fact I'm writing an email right now.. UH OH TOILET TIM
OH SHIT

this has been the case all along (5, Insightful)

spune (715782) | more than 6 years ago | (#24456199)

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

Re:this has been the case all along (4, Informative)

jjohnson (62583) | more than 6 years ago | (#24456247)

Generally yes, but Hushmail offered two methods of encrypting emails: on their servers and in a Java applet that did it locally. What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.

Re:this has been the case all along (3, Interesting)

TubeSteak (669689) | more than 6 years ago | (#24456705)

What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.

IIRC, Hushmail started passing out 'bad' java applets so that they could grab encryption keys.

Re:this has been the case all along (5, Informative)

legirons (809082) | more than 6 years ago | (#24457231)

If you're encrypting email yourself then hushmail is just unnecessary. Use fireGPG with gmail and you've already got better privacy than hushmail (i.e. no need to trust their java applications)

plus you get the entertainment of watching google struggle to choose adverts for your "----BEGIN PGP MESSAGE----" email

Re:this has been the case all along (4, Informative)

Naughty Bob (1004174) | more than 6 years ago | (#24456251)

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

RTFAs much? Hushmail provide you with an optional, open app to encrypt things before they leave your computer. But now it seems that (based on differing hashes) the code used 'in the field' is not the same as the reference source code they show on their site.

I'd be inclined, given Hushmail's excellent track record on openness, to believe that this is more an oversight, i.e. something not updated, than a turn to the dark side.

Re:this has been the case all along (0, Interesting)

Anonymous Coward | more than 6 years ago | (#24456381)

you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.

Errr, with what exactly? PGP/GPG? Some other freeware encryption that still uses a published algorithm? Think our Government doesn't have the capability of decrypting them all, or more to the point the capability of demanding unencrypted data be handed over?

I congratulate you on your zenlike elevation of being. Ignorance must be very blissful.

Re:this has been the case all along (3, Interesting)

Troed (102527) | more than 6 years ago | (#24456417)

No, they don't have that capability. Please read any beginners book on crypto.

Re:this has been the case all along (5, Insightful)

arcade (16638) | more than 6 years ago | (#24456445)

Think our Government doesn't have the capability of decrypting them all,

No.

or more to the point the capability of demanding unencrypted data be handed over?

Well, if you mean by actually torturing you? Well, depends on whether you believe your government does that to americans or not.

If you refuse, you refuse. They then can't get to your data.

Unless you use debian, of course. :-P

Rubber-hose cryptanalysis (5, Funny)

AmishElvis (1101979) | more than 6 years ago | (#24457159)

Ha, I found this on Wikipedia, attributed to Marcus J. Ranum -

...the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive)

Re:this has been the case all along (3, Informative)

FilterMapReduce (1296509) | more than 6 years ago | (#24457043)

Some other freeware encryption that still uses a published algorithm?

If this made any difference, the algorithm would suck anyway. [wikipedia.org]

Re:this has been the case all along (2, Insightful)

AmiMoJo (196126) | more than 6 years ago | (#24456567)

If only popular email clients would ship with encryption built in, set up by the account creation wizard and turned on by default...

Once everyone had the ability to check signatures and decrypt encrypted mail, and the client defaulted to encrypted if a key was available we would be half way there. Unfortunately there is no good system at the moment for hiding the address of who the mail is being sent to, and at least in the UK ISPs are required to log that data.

I'm somewhat surprised that Thunderbird hasn't done it. GPG is free, plugins already exist and it would finally be something that can separate it from the crowd of other email clients with similar or better features. Even better would be if MS integrated it into Outlook or Mail. Maybe Apple could market it as a feature?

Re:this has been the case all along (2, Informative)

SignOfZeta (907092) | more than 6 years ago | (#24456725)

Apple has PGP keys [apple.com] that you can use for submitting encrypted email to them; they tell you to use it for sending in proof of security issues. While they don't include the functionality in Mail, there's always MacGPG [sente.ch] (command-line tools, plus a nice Aqua-fied port) and the GPGMail [sente.ch] plugin.

Why Apple and Mozilla make no official inclusion, I have no idea. Probably due to licensing, no doubt. (It goes without saying that Microsoft doesn't include it because they're Microsoft.)

Re:this has been the case all along (2, Informative)

AmiMoJo (196126) | more than 6 years ago | (#24456849)

GPG is open source, GPL licenced and patent free, so really there is no excuse for not including it.

Even GPG doesn't solve the recipient-in-plain-text problem. It's the same with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.

Re:this has been the case all along (2, Interesting)

SignOfZeta (907092) | more than 6 years ago | (#24457243)

Assuming that Apple has no problem with the GPL, then I suppose the Mac users of the world should submit feedback [apple.com] . Thunderbird users can leave feedback here [mozilla.org] . Hell, leave feedback for both. Widespread adoption of GPG can't hurt anyone.

And you're right, GPG doesn't encrypt headers. If we did encrypt headers, we'd have to find a replacement for SMTP⦠SMTPSEC? Given the popularity of DNSSEC compared to DNS, I don't see that happening.

Re:this has been the case all along (1)

yabos (719499) | more than 6 years ago | (#24457225)

They have built in S/MIME

Re:this has been the case all along (2, Interesting)

legirons (809082) | more than 6 years ago | (#24457269)

If only popular email clients would ship with encryption built in, set up by the account creation wizard and turned on by default...

But how do you swap keys?

At this point, it would be nice for some organisation to just start signing PGP keys when you fax them a driving license or something, the equivalent to a CA but for PGP keys which traditionally needed huge effort to figure-out if the key matches the person.

haha (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24456215)

trix are for kids mutherfucker!

Simple Answer (4, Insightful)

fluch (126140) | more than 6 years ago | (#24456225)

...one can't trust encryptinon if it is done off site. Point.

If you want your communication secure encrypt it on your computer which you trust. This is the only way to keep it secure...

Re:Simple Answer (4, Informative)

icydog (923695) | more than 6 years ago | (#24456429)

The whole point of Hushmail's program is that you do it on a computer which you trust. They also offer a version where you send stuff to their servers in plaintext and then they encrypt it for you, which is harder to trust.

The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.

Re:Simple Answer (4, Insightful)

Just Some Guy (3352) | more than 6 years ago | (#24457023)

The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.

The other problem is that it's not GPG. Honestly, there is no way I'd trust any other file crypto software today. Why should I? GPG is there and works and people use it. Anything else is just rolling dice.

This is maybe the one area where I don't think there's a lot of room for options. Crypto is almost unbelievably hard to get right, and the odds of more than a tiny handful of programs pulling it off is slim. Putting all of your eggs in one basket is risky, but I'd rather trust one titanium roll cage of a basket than 100 made out of tin foil and rusty nails.

faggot (0, Insightful)

Anonymous Coward | more than 6 years ago | (#24456227)

of course it is.

no encryption that YOU didn't write is safe (4, Insightful)

TheGratefulNet (143330) | more than 6 years ago | (#24456245)

its just that simple.

unless you can review (and understand) what's going on, line by line, you can't REALLY trust it.

what is at stake, here? the gov's are at an all-time power-grabbing frenzy for violating your personal privacy. corporate, too, for that matter.

it was once said that no one would be allowed to sell or market encryption tech that 'the big guys' would not be able to break; meaning our government. I once worked at a picture phone company (mid 80's) that was starting to go down the 'encrypt your video phone call' path (using old switched56 tech) and we were told we could NOT do our own encryption unless it was 'breakable' by, well, certain agencies.

believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

I fully believe that. you would do well to mistrust your government, too, given how greedy they have become on the rights-grab thing.

locks only keep honest people out. there is NO WAY to keep the gov out, anymore. and that means that others, too, have backdoors (you think the gov is the only entity that can 'get to' this kind of stuff?)

anyone who trusts encryption for their life, in this day and age, is deluded.

Re:no encryption that YOU didn't write is safe (5, Insightful)

icydog (923695) | more than 6 years ago | (#24456287)

And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.

Re:no encryption that YOU didn't write is safe (2, Insightful)

Naughty Bob (1004174) | more than 6 years ago | (#24456357)

And unless you're Bruce Scheiner, encryption that you do write probably isn't safe either.

Necessary but not sufficient- You'd also need to be a black-belt in Silicon whittling.

Re:no encryption that YOU didn't write is safe (4, Interesting)

Iamthecheese (1264298) | more than 6 years ago | (#24456311)

Several kind of encryption have been inspected for years by some of the brightest minds in the field. Are you claiming that they are somehow vulnerable as well? RSA, Diffie-Hellman key exchange, 3DES, AES...

Re:no encryption that YOU didn't write is safe (2, Interesting)

DaedalusHKX (660194) | more than 6 years ago | (#24456375)

You mean like that incident with Debian recently where some genius commented some lines that were spouting a warning in GnuPG, and it turns out that the keys generated for SSH were MUCH weaker to brute force crack than the usual ones? Yeah, most brilliant minds tend to miss things. Expert worship is a way to get one's self killed or maimed while waiting for the experts to verify that said incident actually COULD cause the maiming or killing to occur.

Be real... nothing is 100% safe. Your only real safety is to be A) a hardass who takes no shit from anyone.. and B) not play the government's game. Don't ask anything of them, do not answer their questions. Play your game... let the serfs get what they got coming. Not your problem. Not mine either. Fuck'em, they wanted nanny state to exist, now let them live with their beloved papa guv'.

Re:no encryption that YOU didn't write is safe (5, Insightful)

thomasw_lrd (1203850) | more than 6 years ago | (#24456533)

The only problem with being a hardass, is that there is always a bigger hardass out there, willing to prove it to you.

Re:no encryption that YOU didn't write is safe (0, Offtopic)

DaedalusHKX (660194) | more than 6 years ago | (#24456661)

And what does a total weakling prove? That even those who aren't hardasses can walk all over him? I've known a few when I was in high school. Their girlfriends slept with everyone but them. They were the "nice guys". I even tried being one for awhile. Very depressing existence. I think those who enjoy it, deserve it... and all that comes with it.

Re:no encryption that YOU didn't write is safe (0, Flamebait)

roguetrick (1147853) | more than 6 years ago | (#24456811)

You're one sad, scared little dude, chest puffing on slashdot.

Newsletter Time (5, Funny)

Anonymous Coward | more than 6 years ago | (#24456887)

1 Your high-school girlfriend cheated on you
2 The Government can't be trusted
3 Peer review of published encryption standards is worthless

Fascinating. Are you asserting "1 AND 2 ERGO 3" or "1 ERGO 2 ERGO 3"?

Re:no encryption that YOU didn't write is safe (4, Funny)

shaitand (626655) | more than 6 years ago | (#24456917)

If the brilliant minds missed it, how is it you know about it?

Re:no encryption that YOU didn't write is safe (4, Informative)

Lincolnshire Poacher (1205798) | more than 6 years ago | (#24456957)

> where some genius commented some lines that were spouting a warning in GnuPG

Point 1:

No-one changed anything in GnuPG. Valgrind issued warnings regarding OpenSSL which resulted in some unfortunate changes in one distro of one OS.

GnuPG and OpenSSL are entirely discrete projects, please don't confuse people with supposition and half-truths.

Point 2:

Neither you nor I can write a robust encryption algorithm. On the contrary, Rindjael and Twofish have been published in the wild now for eight years and no-one has demonstrated a weakness. If the former is acceptable as AES for US Government crypto then it is secure enough for the rest of us. Even if we assume that the NSA is 20 years ahead of the field in mathematics, if you're not dealing with the NSA then you've got 20 years lead time before Company-X can crack your files.

Re:no encryption that YOU didn't write is safe (1)

turbidostato (878842) | more than 6 years ago | (#24457033)

"You mean like that incident with Debian recently where some genius commented some lines"

You seem to forget that:
a) It was an implementation problem, not one with the algorithm.
b) The problem was discovered *and* already corrected

Both things quite far from "government conspiranoids".

Re:no encryption that YOU didn't write is safe (3, Informative)

lorenzo.boccaccia (1263310) | more than 6 years ago | (#24456457)

3des is not vulnerable but computer power has passed the point on which an individual could mount an actual attack. D-H suffers from man in the middle attacks (but a secure variant exists, it's called station to station or something similar but is based on asymmetric cryptography). asymmetric cryptography as RSA works IF you could trust the third party half key, and it is not quite working given the mess we have with trusted trusting authorities. Regarding AES, there are some concern about a possible NSA backdoor; common blowfish implementation was botched - two times - allowing for key recovery. I could provide source for almost all those claims, but right now I'm too lazy to search to go ogle them.

my point is, several expert of the field already stated concern about these algorithms, but more importantly nobody could trust any of those algorithm to work perfectly, as there are too many attack vectors - backdoors, wrong implementations, man in the middles, unexpected mathematical tricks, and why not plain old social engineering. Each one of those algorithms has its own strength and weakness, and 0,1% of the internet population could consider itself safe - without knowing every bit of the field AND of the implementation AND of the network topology between Alice and Bob and so on, cryptography is just a layer of security. Perfect Security doesn't exists, as it never existed in the first place: you always somehow need to recover that data.

Re:no encryption that YOU didn't write is safe (3, Informative)

djcapelis (587616) | more than 6 years ago | (#24456579)

>3des is not vulnerable but computer power has
>passed the point on which an individual could
>mount an actual attack.

I believe that would likely be DES you're referring to, not 3DES.

Whether the NSA can attack 3DES or not is an entirely different matter. But an individual? Not yet. 3DES is about 112 bits of key if you account for meet in the middle.

DES is ~56 bits and can be cracked in hours with special purpose hardware.

n Hours * 2^(112-56) = 72057594037927936n hours.

So... I think it's out of reach for an individual at the moment. Even if we could break DES in minutes...

Re:no encryption that YOU didn't write is safe (1)

lorenzo.boccaccia (1263310) | more than 6 years ago | (#24457037)

true =) I was thinking about round reduction using differential cryptanalysis, but that attack was not for 3des

All Encryption Can be Cracked (2, Insightful)

tobiah (308208) | more than 6 years ago | (#24457039)

It's just a matter of time. This almost always happens faster than the designer imagined it would take.

Re:no encryption that YOU didn't write is safe (5, Insightful)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#24456349)

Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded.

I'm sure any major government's capabilities to obtain information are beyond what they are commonly percieved to be, but that does not mean that every encryption scheme is instantly rendered null and void. No one government has control over everyone, so if you think the US government is stifling innovation in America do you also think they're doing the same in Japan, Europe, China, and anywhere else? Or do you think that those governments are all collaborating on this - now that really would be deluded.

If all available encryption mechanisms were crackable then why would governments have gone to to such lengths to try and hinder their development in years gone by - and why would many governments now be trying to attack encryption methods via other means, eg. the recent British law that makes refusal to give up keys to encrypted material punishable by up to 5 years in prison. Why be the bad guy and make those laws if they're unnecessary anyway? I suppose you could claim it's to try and mask their true abilities, or to play up to the anti-terror idiots, but I don't see that as likely.

Re:no encryption that YOU didn't write is safe (2, Insightful)

Breakfast Pants (323698) | more than 6 years ago | (#24456657)

It doesn't have to be anywhere near that elaborate: just assume lawmakers have about the same level of information as us, so they think (rightfully I believe) that encryption is sound, and therefore they need that law.

Re:no encryption that YOU didn't write is safe (3, Insightful)

hacker (14635) | more than 6 years ago | (#24456717)

"Anyone who thinks the government is a magical entity that can automatically undo the work of independent researchers and mathematicians is deluded."

...and those who think they're the top in their field, are regularly and quickly shown up by those who are smarter than themselves. Just remember that for every person you're beating in any field (math, basketball, chess, whatever), there are people out there MUCH smarter, faster, better than you are.

Just because one brilliant researcher publicly puts his stamp of approval on an algorithm, does not mean that any government doesn't have a team of similarly-brilliant researchers poking holes in that algorithm that are never made public.

Re:no encryption that YOU didn't write is safe (2, Insightful)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#24456837)

Yes, but that goes both ways. For every brilliant person who chooses to work for the government there is another that chooses to work commercially or academically. Which is why I believe it's highly unlikely that the government could be so far ahead of the curve as the GP suggests. That is unless they were actively hindering those who work outside of the government, in which case I'd find it very difficult to believe that such efforts would be unknown.

Re:no encryption that YOU didn't write is safe (2, Insightful)

Nikker (749551) | more than 6 years ago | (#24456807)

If minds alone are the root that provides the fruit then isn't it curious that governments harvest and continually employ a majority of these?

If this is the fruit we see and share what type of fruit do they eat?

Re:no encryption that YOU didn't write is safe (3, Funny)

djdavetrouble (442175) | more than 6 years ago | (#24456941)

Obviously you've never seen 24 and that room full of awesome computer at CTU HQ,
and Jack Bauer's cell phone that works EVERYWHERE.

I mean all that stuff is real, its basically a documentary.

All it takes is one determined tow headed ex special forces DUDE with a license to ill,
and your whole encryption thingy comes tumbling down.

Re:no encryption that YOU didn't write is safe (4, Insightful)

Cheesey (70139) | more than 6 years ago | (#24456473)

We got past this in the 90s; initially they said that all encryption would have to be weak (e.g. 40 bit) or go through their chips (Clipper, etc.). But they found that this didn't stand up to the reality of WWW era. What worked in the 80s for the few users of encryption at that time simply couldn't scale up for web commerce. Strong encryption was a commercial necessity, so the attempts to control the industry had to be dropped. The export restrictions disappeared, and because DES was now too weak to be useful, the new AES standard was introduced.

Is AES full of back doors for the NSA? Almost certainly not, since these could also be used by any resourceful group of cryptographers, including the Chinese version of the NSA.

Is quantum computing already being used to crack AES? No. Quantum computing is the cold fusion of our industry.

Re:no encryption that YOU didn't write is safe (2, Interesting)

mccabem (44513) | more than 6 years ago | (#24457255)

if I may:

"Is AES full of back doors for the NSA? Almost certainly not, since these could also be used by any resourceful group of cryptographers, including the Boogey Man [wikipedia.org] ."

Re:no encryption that YOU didn't write is safe (4, Insightful)

AmiMoJo (196126) | more than 6 years ago | (#24456519)

believe what you want, but no commercial (or even freeware) encryption that is avaiable to YOU AND I will be worth anything other than 'for show'.

Truecrypt is freeware (open source) and is secure. In fact, it's more secure than any commercial offering I know of, due to its plausible deniability features. The source is there, it has been examined by experts and you can take a look yourself. Encryption options include both AES and Twofish, both known to be secure.

Encryption is well understood and researched by academics working in public. Sure, governments have their own secret research, but a lot of very clever people all around the world have been testing AES and Twofish for weaknesses for years and so far have found none. Governments don't have any magical ability to find flaws in encryption that ordinary academics don't.

Having said that, perhaps if you are Osama Bin Laden you might want to be a little bit paranoid. In theory, with a few billion dollars you could build a machine capable of cracking AES in months. So far there is no evidence such a machine exists, but... Most people don't have to worry about that though, even if they are doing something that could get them in serious trouble - certainly the national police, Interpol or even secret services (MI6/CIA) don't have any chance of breaking AES by brute force. Of course they could torture you now but even that isn't much of a threat to anyone not labelled a terrorist by the US.

Re:no encryption that YOU didn't write is safe (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24456801)

...Of course they could torture you now but even that isn't much of a threat to anyone not labelled a terrorist by the US.

But people who don't hand over their laptops and their encryption keys to DHS are terrorists! Right?

Re:no encryption that YOU didn't write is safe (2, Interesting)

trewornan (608722) | more than 6 years ago | (#24456967)

Governments don't have any magical ability to find flaws in encryption that ordinary academics don't

But they do have lots of academics, and often some of the very best. Case in point: the NSA discovered differential cryptanalysis years before anyone else (that we know of) and was aware that several commercially important algorithms were susceptible.

Re:no encryption that YOU didn't write is safe (1, Informative)

Anonymous Coward | more than 6 years ago | (#24456543)

While I do believe that many commercial RSA-based encryption algorithms have back doors or are easily breakable, the sheer simplicity of Blowfish leads me to believe otherwise. Sixteen rounds through S-boxes of your own choosing is nigh unto impossible to crack even with a dedicated supercomputer for top-secret 'research' (like Roadrunner).

While I did not write the source code that I use, I have inspected every last character wit full understanding of what its supposed to do, and I didn't need a PhD from MIT to understand the algorithm.

Oh, and for the trolls out there, Twofish is supposedly better. It changes keys faster, but I see this as a weakness being that the only known cryptanalysis of *fish is brute force with a few minor optimizations if they know your S-boxes or part of your plaintext.

Re:no encryption that YOU didn't write is safe (1)

Lincolnshire Poacher (1205798) | more than 6 years ago | (#24457017)

> Sixteen rounds through S-boxes of your own choosing is nigh unto impossible to crack even with a dedicated supercomputer

Err, actually that's a particulary BAD thing. Random selection of S-box values can lead to differential cryptanalysis vulnerabilities. For example, IBM's original arbitrary values for Lucifer's S-boxes were corrected by the NSA prior to adoption as DES.

Nothing in cryptography comes down to chance.

Re:no encryption that YOU didn't write is safe (5, Insightful)

DaedalusHKX (660194) | more than 6 years ago | (#24456619)

Rules for dealing with government are simple. Do not get involved in their business, do not play their games, do not volunteer anything, do not agree to anything, do not play with them, or for them. Once you do, your ass is theirs. They own you, with your consent at that.

By the same principle, don't fuck around, don't trespass, don't steal, and don't be a crook. Learn the law VERY carefully, keep a copy of Black's Law Dictionary (I think 6th edition is out now) in several different versions. Look up innocent looking terms and verbs in forms. DO NOT consent to anything period. Sign nothing. Be sure you know what is "your name" and what is what someone may call you. Practice your rights. Yes... all of them. A right practiced doesn't need to be infringed, because you already don't have it.

Be very suspicious not of your neighbors but of men in "special" uniforms or funny hats that supposedly give them power over you. Don't let strangers into the house. Homeschool your kids and do a god job, history, law and the local mythology are especially important subjects. Several languages and a good grasp of self defense, tactics and strategy are also quite important. Those with kids who choose to be politically active are extra vulnerable, since kids are the ultimate Achilles Heel.

Never ever trust strangers. Trust people in uniforms even less. Never ever get into a stranger's car, despite what you see in the movies. If they want to talk to you, they can get into yours. If you are confronted by a "friend from high school" and like most average people you can't remember who you met yesterday, nevermind back then, look behind you, you're probably about to get cattle prodded in the back and shoved into a van.

These were simple coping strategies for those who were not average plebeians and who survived the cullings of communism. I lost relatives who were educated, men I could've learned much from. I never met them because they were taught that self defense was for cops and soldiers. And when the king's men were gone, and the cops were coopted to communism... there was nobody to protect the smart, educated, "civilized" (i.e. willingly helpless) men from the cleansings. The ones who weren't "lifted" and sent off to Siberia, were enrolled into a front line regiment and given crap gear and no real training. Very few returned, most scarred for life. All I saw of them while growing up were pictures over mantelpieces. Grandmothers mourning long lost brothers or maimed cousins. That is the fate of the helpless of those who depend on others for their protection...

And what governments are preparing today, the police states being built now, they are so much more insidious, in that they're so much better concealed behind "feel good" intentions and bullshit propaganda about "the good of man". Oh well, fools get what they deserve. There's no stopping it at this point, fools gave up that chance a long time ago. All one can do now is get out of the way and let the Leviathan leap off the cliff with all the fools aboard. Watch the splatter and feel not sorry... they laid their own beds. Trying to save the stupid from their stupidity is what got the world into its sorry state in the first place. The stupid should have been permitted to perish, and Darwin should've been allowed to have his laugh. Instead the stupid were forced to live against their best attempts, so they outbred those who merited survival and to thrive.

Re:no encryption that YOU didn't write is safe (4, Funny)

quitte (1098453) | more than 6 years ago | (#24456749)

Sarah Connor? Is that you?

Re:no encryption that YOU didn't write is safe (0)

Anonymous Coward | more than 6 years ago | (#24456977)

Sarah Connor? Is that you?

T-1000-in-cop-uniform: "Are you John Galt?"

Re:no encryption that YOU didn't write is safe (1)

ScrewMaster (602015) | more than 6 years ago | (#24456853)

Homeschool your kids and do a god job, history, law and the local mythology are especially important subjects. Several languages and a good grasp of self defense, tactics and strategy are also quite important.

Mr. Heinlein, is that you?

Not that I can find much to dispute about your post.

Never was and never will be... (4, Insightful)

Arimus (198136) | more than 6 years ago | (#24456277)

Depending on how you define secure then no, Hushmail is not.

Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted.

As for Hushmail - its secure if you trust them to use suitable encryption algorithm, key material, psuedo random number generator, secure processes (not the program kind, the how to do the job kind), secure network, no shady or otherwise agreements with third parties (inc. governments) to provide decrypted data, not to store your orginal plain-text mail for any longer than the time it takes to encrypt it, securely erase the plain-text version etc etc etc. Probably enough holes to drive a bus through...

Re:Never was and never will be... (1)

hacker (14635) | more than 6 years ago | (#24456679)

"Personally if I want to send encrypted mail I will do so on a PC I have direct control over, I will carry out the encryption before the email goes anywhere. And depending on the type of encryption used, I might even carry out the encryption on a terminal which has no network connections etc and after encrypting the mail will shutdown the PC and leave it shutdown for a while - this setup would have no swap partition etc, or if it did it would be a minimum of baseline encrypted."

Of course you also bring your own bootable ISO cd/dvd to run the OS from which you compose and encrypt that email, and your own keyboard to ensure there are no hardware key loggers installed, right?

Re:Never was and never will be... (1)

Arimus (198136) | more than 6 years ago | (#24456949)

If its my own terminal under my own control I know what I've installed on it... that's the whole point - a PC I have direct control over also applies to the terminal without a network connection :)

Re:Never was and never will be... (3, Funny)

ColdWetDog (752185) | more than 6 years ago | (#24456965)

... bring your own bootable ISO cd/dvd to run the OS from which you compose and encrypt that email, and your own keyboard to ensure there are no hardware key loggers installed, right?

OK, I'll bite (and I know the you are being a bit sarcastic) but:

What are you all doing on your computers? If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis. Really now. From your respective basements?

Re:Never was and never will be... (3, Insightful)

hacker (14635) | more than 6 years ago | (#24457095)

"If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis. Really now. From your respective basements?"

Isn't that the point? Shouldn't we be portraying that EXACT image to the respective governments who are trying to overthrow us? Seriously, isn't that EXACTLY what they're trying to do with the false security theater that is being thrust upon us with each new day of news reports from the Middle East and domestic?

You might find the article "Fascist America, in 10 easy steps [guardian.co.uk] " interesting in this context.

In short, the government SHOULD be afraid of the power of the people, because it is exactly those people, who gives the government their power, not the reverse. We all COULD be harboring plans to overthrow the government, and we should anyway, if they cease to support our rights and needs as a populace. In other words, do what we're expecting of you, or expect to get overthrown. Period.

Re:Never was and never will be... (2, Insightful)

turbidostato (878842) | more than 6 years ago | (#24457133)

" What are you all doing on your computers?"

What's this? Another turn of the old argument "but if you have nothing to hide...?" or what?

I don't need to give *any* explanation to protect my intimacy.

Re:Never was and never will be... (1)

TheRaven64 (641858) | more than 6 years ago | (#24457153)

If you read these posts you would think that the average slashdotter was planning to overthrow one (or more likely all) governments on a regular basis

Well, what else does one do on rainy Sunday afternoons?

Old News? (4, Informative)

zifn4b (1040588) | more than 6 years ago | (#24456291)

It appears that this was reported back in 2007 on The Register [theregister.co.uk] .

There is indeed a clause in the clarified terms of service mentioned by the above article that states that your data is not safe from law enforcement authorities with a court order [hushmail.com] from Supreme Court of British Columbia, Canada:

We are committed to the privacy of our users, and will absolutely not release user data without a court order from the Supreme Court of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such court order refer specifically by email address to any account for which data is required. However, if we do receive such a court order, we are required to do everything in our power to comply with the law. Hushmail will not accept a court order issued by any authority or investigative agency other than the Supreme Court of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that a court order be issued by the Supreme Court of British Columbia, Canada.

do not use the internet (0)

jacquesm (154384) | more than 6 years ago | (#24456301)

if your communications are such that you think they require encryption. It's really that simple. As soon as those packets leave your premises you can simply assume that whatever is in them even if it is encrypted to the hilt is public knowledge.

rely on face to face contact if you want your communications to be secure.

Re:do not use the internet (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24456369)

rely on face to face contact if you want your communications to be secure.

Are you smoking?

Meeting face to face is the worst possible way for secure communications. It allows for easy snooping by anyone on you and the person you're meeting, and even the fact that you are meeting with a person can taint you if they are on the terrorist list or "watch list".

Public email such as thepiratebay's slopsbox is way better. Be sure to post and read from a public library or similar, with no cameras.

Huh?? (0)

Anonymous Coward | more than 6 years ago | (#24456305)

What the hell is Hushmail??

Re:Huh?? (4, Funny)

Vectronic (1221470) | more than 6 years ago | (#24456595)

Shhhh!... keep your voice down.

First rule of Hushmail... (4, Funny)

MsGeek (162936) | more than 6 years ago | (#24456919)

...is that nobody talks about Hushmail.

Decentralize Aggregated Services (1)

Bob9113 (14996) | more than 6 years ago | (#24456351)

One way to help mitigate this risk is to decentralize aggregated services. If there were five hundred different equivalents to Hushmail, one of them going down would be less of a threat, and many of them going down would be impossible to keep quiet.

The main problem I can come up with is market differentiation; Mom & Pops work in meatspace because physical proximity matters. With the Internet, when a product (like encrypted email) is difficult to differentiate, it is hard for more than a handful of competitors to gain traction.

A solution to that is to make end-user tools easier to use and more common. For example, everyone could use a GPG plugin for their email client without the risk associated with one of the handful of major providers being breached.

Which leads, I think, to the conclusion that one very good thing one could do to support free speech would be to promote GPG and personal asymmetric keys. You might do this by helping develop the tools, or even just by using GPG to sign your own emails, and adding a .sig that explains what you're doing.

Just thinking out loud...

Jars embed date of creation - More Info Needed (5, Insightful)

KrisWithAK (32865) | more than 6 years ago | (#24456359)

Any developer that has worked closely with jar (zip) files should have immediately notice a possible issue with this announcement. If you use the jar tool to create a jar archive with its default options, it embeds a new MANIFEST.MF file which has a new creation time; therefore, you will get a different jar checksum even if you are archiving the same exact contents. It would have been simply possible that the Hushmail build process created a new jar file (with identical files) for each type of software distribution that they use. The only way we can be sure is to compare the file list and checksum for each file inside of the jar archives.

Re:Jars embed date of creation - More Info Needed (1)

omega_dk (1090143) | more than 6 years ago | (#24456563)

Bah, accidental moderation post.

The file is obfuscated (5, Informative)

tkinnun0 (756022) | more than 6 years ago | (#24456387)

The jar-file is obfuscated, bringing its size down to 270KB from 485KB. The source code archive contains a file verification.txt with this text:

For those who wish to verify that the class files downloaded when accessing
Hushmail are genuine, they can be compared against class files compiled from
source using the following tools.

Sun JDK 1.5.0_05 for Windows
Microsoft Java SDK 4.0
Proguard 3.5 (http://proguard.sourceforge.net)

Usage of these tools can be determined from the included Makefile and
proguard.conf. Note that the signing steps in the Makefile cannot be
accomplished, and so the class files must be compared individually. You cannot
compare the entire archive.

The Bouncy Castle Lightweight API Version 1.31
can be downloaded here:

http://www.bouncycastle.org/download/lcrypto-jdk11-131.tar.gz

The archives used by Hushmail are located here:

https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

Please ensure that you are comparing the same versions. Sometimes the release
of source code may lag a few days behind the update of Hushmail.

Questions can be directed here: https://www.hushmail.com/contact

I haven't done this verification, but neither has the cryptome author, so I suspect this is a non-story.

Re:The file is obfuscated (4, Interesting)

datajack (17285) | more than 6 years ago | (#24456555)

Agreed, it is very clear from opening the jar files that the published one has undergone obfuscation.

di-3k (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24456405)

They've always stated openly that it's not secure (1)

Joce640k (829181) | more than 6 years ago | (#24456501)

...when you encrypt via the web interface.

The only secure way is to download the encryptor (source code available) and encrypt before it leaves your machine.

Or you could do what the terrorists do and encrypt a file with one of the bazillion encryption utilities and openly send it as an attachment via hotmail. Duh!

Mixmaster (4, Informative)

trewornan (608722) | more than 6 years ago | (#24456503)

If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.

In general it's a bad idea to be confident in your encryption - if the Germans hadn't been so confident in Engima they might have done much better militarily.

Any provider like this can ultimately be compelled to cooperate with security services and you've therefore got to assume they are working with major governments to compromise your communications. Common sense really.

That said, something like Mixmaster [sourceforge.net] is a good place to start. Makes it very difficult to be located by any legal process although (of course) it won't help if the NSA takes an interest.

Hushmail? Compromised almost as soon as it was set up I'd wager.

Re:Mixmaster (1)

DNS-and-BIND (461968) | more than 6 years ago | (#24456631)

Yeah, that's pretty much why the NSA is so fanatic about being able to break encryption. Being able to read the Japanese and German codes was a decisive advantage in winning WWII. Just imagine how different the world would be if the free nations had lost. Even accepting a peace treaty that ended the war but left Germany or Japan still standing would be an entirely different world today.

Re:Mixmaster (0, Troll)

quitte (1098453) | more than 6 years ago | (#24456781)

one time pads don't help against brute forcing encryption. They just prevent brute forcing authentication.

Re:Mixmaster (1)

trewornan (608722) | more than 6 years ago | (#24456839)

Learn something about elementary encryption before shooting your mouth off.

Re:Mixmaster (1)

Just Some Guy (3352) | more than 6 years ago | (#24457115)

Skipped that chapter, huh?

Re:Mixmaster (2, Funny)

ivantheshifty (1245510) | more than 6 years ago | (#24457057)

If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.

In general it's a bad idea to be confident in your encryption - if the Germans hadn't been so confident in Engima they might have done much better militarily.

Wait wait wait...Somebody on slashdot's read Cryptonomicon? I'm shocked.

Re:Mixmaster (1)

trewornan (608722) | more than 6 years ago | (#24457189)

We'll . . . yes, but I recommend Simon Singh's Codebook as a much better intro. Cryptonomicon was a bit of a tedious read actually.

Re:Mixmaster (1)

Lincolnshire Poacher (1205798) | more than 6 years ago | (#24457087)

> If you want encryption guaranteed against major governments you have to go with a one time pad.

Well yes, but what proportion of encrypted communications are intended to be elided from government view?

When Insurance_Company_A uses 3DES to encrypt rate files sent to Field_Agent_A, they're doing so because they don't want Insurance_Company_B reading their trade secrets.

When I connect to Amazon via SSL using 256-bit AES, I do so because I don't want HaXX0R_C from grabbing my debit card details.

When I GPG-encrypt e-mails to friends it is to prevent Bored_Sysop_D from reading my e-mails as they spool on the recipient's MX.

I contend that the fear of Government snooping accounts for a very small proportion of encrypted data.

is Hushmail still safe? - NO !!! (1)

rs232 (849320) | more than 6 years ago | (#24456553)

"Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication"

No, it's most probably controlled by one of the brancges of the security services .. :)

Comment Summary (0)

Anonymous Coward | more than 6 years ago | (#24456615)

"Is Hushmail even safe to use anymore?"

Depends on the laws you intend to break.

God knows (1)

Mishotaki (957104) | more than 6 years ago | (#24456647)

God know everythign, he is everywhere and sees everything... so he knows what kind of data you encripted, he knows what program you used and what the key to unlock is.... so the next time you go see a priest, you better not mention it, he might had a little talk with God about it.

Re:God knows (1)

theblondebrunette (1315661) | more than 6 years ago | (#24456699)

God may know, but what the f**k does a priest knows and have to do with God?

Re:God knows (1)

causality (777677) | more than 6 years ago | (#24457145)

I don't really subscribe to a major religion, but I have studied most of them and I can probably clear that up for you (the GP's joke, that is). The whole point of a priest is to act as an intermediary between yourself and God, usually with the implication that you could not speak to God yourself. That's what makes a priest different from a preacher, who is merely a teacher of what he believes to be true while the actual interaction with God is up to you. The basis of rejecting the concept is the idea that God is equally available to everyone and therefore, priests are not special and do not deserve any extra status.

I won't comment on whether either or both ideas are valid. That's something each person needs to make up their own mind about and you seem to have taken your stance on it. I was just explaining the GP's reasoning when he made a joke about not letting a priest learn about your encryption.

"Still safe" (1)

betterunixthanunix (980855) | more than 6 years ago | (#24456671)

Hushmail was never safe, not from a cryptographic perspective. Hushmail kept a copy of your private key, AND the passphrase for that key would be sent to their servers. The drug investigation demonstrates why that is unsafe, but anyone with a basic understanding of cryptography knew that it was a possibility long ahead of time.

It is a matter of convenience trumping security.

Probably not ... (1)

ScrewMaster (602015) | more than 6 years ago | (#24456791)

Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?

I think the submitter answered his own question.

My encryption is fool proof (1)

Puffy Director Pants (1242492) | more than 6 years ago | (#24456797)

I just write nonsense anyway.

Re:My encryption is fool proof (1)

ScrewMaster (602015) | more than 6 years ago | (#24456985)

So we've noticed.

Sorry, couldn't resist.

Oh please, safe? (1)

mlwmohawk (801821) | more than 6 years ago | (#24457021)

No person or entity can remain true to two or more masters. As long as there is an "agent" involved who must answer to some other authority, the punishment of not cooperating the "other" master will be weight against protecting you.

The best bet is to encrypt locally with your own self-certified keys, only give the public keys on a need-to-know basis.

If you can add an obscure encryption scheme on top of that, so much the better. If underneath all that you can use an obscure document encoding and character format, or even unused language like Navaho, you're good to go.

Crap (0)

Anonymous Coward | more than 6 years ago | (#24457113)

Is every story posted on Slashdot now inaccurate or completely false?

Read & Learn, And Legalize Marijuana (0)

Anonymous Coward | more than 6 years ago | (#24457117)

Since the article is often pulled from websites, the first article you should read and burn into your mind is this, Google for the title and archive a copy for yourself:

"A break-in to end all break-ins"
"In 1971, stolen FBI files exposed the government's domestic spying program"

It's an amazing story, and in 2008, how much has this expanded into every corner of our lives? The majority of Americans are brainwashed sheep consumers with a limp wet noodle for a brain, thrashing around with their Wii and Paris Hilton media like a fat dinoasaur in a tar pit. Stay informed, we have no privacy, encryption is good but useless with acoustic monitoring, reflections in the eye and objects in your environment, etc.! If it's electronic, there's always a loophole. You shine brighter with each electronic device you use, in many ways. Don't trust Hushmail or any web based mail service to keep anything of yours secure or to provide any reasonable degree of security. Secure your computer room and rig your computer to shut down if you use encryption like Truecrypt or other when your environment is entered by someone other than you or those you permit and trust (you shouldn't trust anyone, everyone has a price)

Compromising Reflections or How to Read LCD Monitors Around the Corner
http://www.infsec.cs.uni-sb.de/~unruh/publications/reflections.pdf [uni-sb.de]

And more:

http://www.eff.org/wp/detecting-packet-injection [eff.org]
http://en.wikipedia.org/wiki/Anonymous_remailer [wikipedia.org]
http://cryptome.org/tempest-law.htm [cryptome.org]
http://seclab.uiuc.edu/pubs/LeMayT06.pdf [uiuc.edu]
http://www-users.cs.umn.edu/~dfrankow/files/lam-etrics2006-security.pdf [umn.edu]
http://cryptome.org/nsa-vaneck.htm [cryptome.org]
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php [lifehacker.com]
http://www.nononsenseselfdefense.com/five_stages.html [nononsense...efense.com]
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf [nist.gov]
http://csrc.nist.gov/itsec/guidance_WinXP_Home.html [nist.gov]
http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf [nist.gov]
http://all.net/books/document/harvard.html [all.net]
http://www-128.ibm.com/developerworks/library/l-keyc.html [ibm.com]
http://www-128.ibm.com/developerworks/library/l-keyc2/ [ibm.com]
http://www-128.ibm.com/developerworks/library/l-keyc3/ [ibm.com]
http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html [cam.ac.uk]
http://www.cs.washington.edu/education/courses/csep590/06wi/ [washington.edu]
http://www.wiley.com/legacy/compbooks/mcnamara/links.html [wiley.com]
http://lifehacker.com/software/home-server/geek-to-live--set-up-a-personal-home-ssh-server-205090.php [lifehacker.com]
http://www-users.cs.umn.edu/~dfrankow/files/privacy-sigir2006.pdf [umn.edu]
http://freehaven.net/anonbib/topic.html#Anonymous_20communication [freehaven.net]
http://www.williamson-labs.com/laser-mic.htm [williamson-labs.com]
http://packetstormsecurity.nl/filedesc/Practical_Onion_Hacking.pdf.html [packetstormsecurity.nl]
http://en.wikipedia.org/wiki/Trusted_computing [wikipedia.org]
http://the.jhu.edu/upe/2004/03/23/about-van-eck-phreaking/ [jhu.edu]
http://www.zurich.ibm.com/security/idemix/ [ibm.com]
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-577.html [cam.ac.uk]
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf [cam.ac.uk]
http://howto.wired.com/wiredhowtos/index.cgi?page_name=optimize_bittorrent_to_outwit_traffic_shaping_isps;action=display;category=Play [wired.com]
http://www.cl.cam.ac.uk/~mgk25/ches2005-limits.pdf [cam.ac.uk]
http://www.gnu.org/philosophy/why-free.html [gnu.org]
http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO/BitTorrent [noreply.org]
http://www.torproject.org/ [torproject.org]
http://arstechnica.com/news.ars/post/20071010-p2p-researchers-use-a-blocklist-or-you-will-be-tracked-100-of-the-time.html [arstechnica.com]
http://torrentfreak.com/stop-downloading-fakes-and-junk-torrents-071204/ [torrentfreak.com]
http://www-users.cs.umn.edu/~dfrankow/pubs.htm [umn.edu]
http://en.wikipedia.org/wiki/Bluejacking [wikipedia.org]
http://en.wikipedia.org/wiki/Bluesnarfing [wikipedia.org]
http://en.wikipedia.org/wiki/COINTELPRO [wikipedia.org]
http://www.coplink.com/ [coplink.com]
http://en.wikipedia.org/wiki/CompStat [wikipedia.org]
http://en.wikipedia.org/wiki/Computer_surveillance [wikipedia.org]
http://www.eff.org/testyourisp [eff.org]
http://www.loyola.edu/dept/politics/ecintel.html [loyola.edu]
http://en.wikipedia.org/wiki/Faraday_cage [wikipedia.org]
http://en.wikipedia.org/wiki/EMP [wikipedia.org]
http://en.wikipedia.org/wiki/Honeypot_(computing) [wikipedia.org]
http://faculty.ncwc.edu/toconnor/thnktank.htm [ncwc.edu]
http://www.loyola.edu/dept/politics/intel.html [loyola.edu]
http://faculty.ncwc.edu/toconnor/427/427links.htm [ncwc.edu]
http://www.loyola.edu/dept/politics/milintel.html [loyola.edu]
http://en.wikipedia.org/wiki/Panopticon [wikipedia.org]
http://catless.ncl.ac.uk/risks [ncl.ac.uk]
http://www.cs.auckland.ac.nz/~pgut001/links.html [auckland.ac.nz]
http://www.freehaven.net/anonbib/ [freehaven.net]
http://en.wikipedia.org/wiki/Sousveillance [wikipedia.org]
http://en.wikipedia.org/wiki/Side-channel_attack [wikipedia.org]
http://en.wikipedia.org/wiki/Steganography [wikipedia.org]
http://en.wikipedia.org/wiki/Split_tunneling [wikipedia.org]
http://en.wikipedia.org/wiki/TEMPEST [wikipedia.org]
http://www.eskimo.com/~joelm/tempest.html [eskimo.com]
http://www.erikyyy.de/tempest/ [erikyyy.de]
http://www.thiemeworks.com/write/index.htm [thiemeworks.com]
http://en.wikipedia.org/wiki/Van_Eck_phreaking [wikipedia.org]
http://en.wikipedia.org/wiki/Writeprint [wikipedia.org]
http://www.newsforge.com/article.pl?sid=04/09/24/1734245 [newsforge.com]
http://gentoo-wiki.com/SECURITY_Anonymizing_UNIX_Systems [gentoo-wiki.com]
http://www.bastille-linux.org/jay/anyone-with-a-screwdriver.html [bastille-linux.org]
http://www.linuxsecurity.com/content/view/118211/49/ [linuxsecurity.com]
http://www-128.ibm.com/developerworks/linux/library/l-livecdsec/?ca=dgr-lnxw07SecurityLiveCD [ibm.com]
http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf [nist.gov]
http://tldp.org/linuxfocus/English/Archives/lf-2003_01-0278.pdf [tldp.org]
http://gentoo-wiki.com/SECURITY_Bash_History_Functions [gentoo-wiki.com]
http://www.securityfocus.com/print/infocus/1414 [securityfocus.com]
http://linuxgazette.net/128/saha.html [linuxgazette.net]
http://code.google.com/p/torchat/ [google.com]
http://www.linux.com/feature/118616 [linux.com]
http://software.newsforge.com/software/05/04/14/1457207.shtml?tid=78 [newsforge.com]
http://www.linux.com/article.pl?sid=06/04/11/2153256 [linux.com]
http://whoozoo.co.uk/mac-spoof-linux.htm [whoozoo.co.uk]
http://www.bastille-linux.org/jay/firewall-prereqs.html [bastille-linux.org]
http://www.bastille-linux.org/jay/defending-dns.html [bastille-linux.org]
http://www.linux-magazine.com/issue/01/File_Permissions.pdf [linux-magazine.com]
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf [nist.gov]
http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf [nist.gov]
http://www.linuxsecurity.com/content/view/119415/49/ [linuxsecurity.com]
http://security.linux.com/security/04/09/20/1555239.shtml?tid=35 [linux.com]
http://www.securityfocus.com/infocus/1729 [securityfocus.com]
http://gentoo-wiki.com/SECURITY_Intruder_Detection_Checklist [gentoo-wiki.com]
http://security.linux.com/security/07/03/12/1557249.shtml?tid=35 [linux.com]
http://www.cert.org/tech_tips/intruder_detection_checklist.html [cert.org]
http://applications.linux.com/article.pl?sid=06/08/28/1419256&from=rss [linux.com]
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts [howtoforge.com]
http://www-128.ibm.com/developerworks/linux/library/l-seclnx1.html [ibm.com]
http://www.bastille-linux.org/jay/obscurity-revisited.html [bastille-linux.org]
http://www.bastille-linux.org/jay/suid-audit.html [bastille-linux.org]
http://www.cert.org/tech_tips/root_compromise.html [cert.org]
http://www.bastille-linux.org/jay/stupid-protocols.html [bastille-linux.org]
http://www.bastille-linux.org/jay/tripwire.html [bastille-linux.org]
http://www-128.ibm.com/developerworks/aix/library/au-speakingunix4/?ca=dgr-lnxw07UNIXpart4 [ibm.com]
http://www.bastille-linux.org/jay/why-do-I-have-to-tighten.html [bastille-linux.org]
http://gentoo-wiki.com/HOWTO_The_Home_Network_for_Beginners [gentoo-wiki.com]
http://gentoo-wiki.com/Index%3AOpenSSH [gentoo-wiki.com]
http://wiki.noreply.org/noreply/TheOnionRouter/AnonymousPublicSpeech [noreply.org]
http://www.bastille-linux.org/jay/security-articles-jjb.html [bastille-linux.org]
http://www.sans.org/rr/ [sans.org]
http://www.porcupine.org/forensics/tct.html [porcupine.org]
http://dban.sourceforge.net/ [sourceforge.net]
http://www.dd-wrt.com/ [dd-wrt.com]
http://www.schneier.com/crypto-gram.html [schneier.com]
http://denyhosts.sourceforge.net/ [sourceforge.net]
http://www.ethereal.com/ [ethereal.com]
http://ettercap.sourceforge.net/index.php [sourceforge.net]
http://www.m0n0.ch/wall/ [m0n0.ch]
http://www.shorewall.net/ [shorewall.net]
http://fortknox.sourceforge.net/ [sourceforge.net]
http://www.insecure.org/tools.html [insecure.org]
http://www.kuro5hin.org/story/2004/10/26/02313/946 [kuro5hin.org]
http://www.jjtc.com/Steganography/ [jjtc.com]
http://www.jjtc.com/Security/stegtools.htm [jjtc.com]
http://www.garykessler.net/library/fsc_stego.html [garykessler.net]
http://en.wikipedia.org/wiki/Steganography [wikipedia.org]
http://www.outguess.org/detection.php [outguess.org]
http://steghide.sourceforge.net/ [sourceforge.net]
http://foremost.sourceforge.net/ [sourceforge.net]
http://labrea.sourceforge.net/ [sourceforge.net]
http://www.eff.org/testyourisp/pcapdiff/ [eff.org]
http://stripesnoop.sourceforge.net/ [sourceforge.net]
http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://www.anontxt.com/ [anontxt.com]
http://www.eff.org/testyourisp [eff.org]
http://www.cnn.com/2008/POLITICS/07/30/frank.marijuana/index.html [cnn.com]
http://www.howtoforge.com/ubuntu_dm_crypt_luks [howtoforge.com]
http://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile [howtoforge.com]
http://www.truecrypt.org/ [truecrypt.org]

Those were a few links for you, and now:

* News Articles:

http://www.freesoftwaremagazine.com/node/1709 [freesoftwaremagazine.com]
http://ask.slashdot.org/askslashdot/06/12/07/0129234.shtml [slashdot.org]
http://www.linuxjournal.com/node/1000073 [linuxjournal.com]
http://www.house.gov/paul/congrec/congrec2000/cr020200.htm [house.gov]
http://uniset.ca/terr/news/lat_fbibreakin.html [uniset.ca]
http://www.boingboing.net/2006/10/03/aclu_suit_challengin.html [boingboing.net]
http://yro.slashdot.org/yro/07/12/29/2120202.shtml [slashdot.org]
http://www.missoulian.com/articles/2007/12/20/news/top/news01.txt [missoulian.com]
http://www.aclu.org/natsec/emergpowers/14444leg20021206.html [aclu.org]
http://www.schneier.com/blog/archives/2007/03/american_expres.html [schneier.com]
http://today.reuters.com/news/NewsArticle.aspx?type=domesticNews&storyID=2006-03-02T000634Z_01_N01474965_RTRUKOC_0_US-LIFE-FREEDOMS.xml [reuters.com]
http://www.washingtonpost.com/wp-dyn/content/blog/2006/07/24/BL2006072400458_pf.html [washingtonpost.com]
http://it.slashdot.org/it/07/01/27/0743217.shtml [slashdot.org]
http://yro.slashdot.org/article.pl?sid=08/01/03/2135259 [slashdot.org]
http://yro.slashdot.org/yro/07/03/09/1915256.shtml [slashdot.org]
http://yro.slashdot.org/yro/06/07/28/1728215.shtml [slashdot.org]
http://yro.slashdot.org/yro/07/01/04/1544210.shtml [slashdot.org]
http://jurist.law.pitt.edu/paperchase/2006/07/bush-blocked-doj-internal-probe-into.php [pitt.edu]
http://www.wired.com/news/technology/internet/0,72545-0.html?tw=wn_index_29 [wired.com]
http://www.eff.org/Privacy/Surveillance/Terrorism/antiterrorism_chill.html [eff.org]
http://www.breitbart.com/news/2006/12/01/D8LODMTG0.html [breitbart.com]
http://yro.slashdot.org/yro/07/03/31/1725221.shtml [slashdot.org]
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 [wired.com]
http://www.schneier.com/blog/archives/2007/03/digital_privacy_1.html [schneier.com]
http://yro.slashdot.org/yro/06/08/24/1513218.shtml [slashdot.org]
http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html [wired.com]
http://news.com.com/FAQ%20How%20Real%20ID%20will%20affect%20you/2100-1028_3-5697111.html [com.com]
http://yro.slashdot.org/article.pl?sid=07/12/22/1715223 [slashdot.org]
http://yro.slashdot.org/yro/07/11/09/1441224.shtml [slashdot.org]
http://yro.slashdot.org/yro/06/10/28/2358202.shtml [slashdot.org]
http://yro.slashdot.org/yro/06/12/02/0415209.shtml [slashdot.org]
http://news.com.com/FBI%2Bdirector%2Bwants%2BISPs%2Bto%2Btrack%2Busers/2100-7348_3-6126877.html?tag=nefd.top [com.com]
http://www.freep.com/apps/pbcs.dll/article?AID=/20060315/NEWS07/603150417/-1/BUSINESS07 [freep.com]
http://politics.slashdot.org/politics/07/01/16/186223.shtml [slashdot.org]
http://www.theledger.com/apps/pbcs.dll/article?AID=/20060702/APF/607020769 [theledger.com]
http://www.heise.de/english/newsticker/news/82605/from/rss09 [heise.de]
http://www.missoulian.com/articles/2007/10/27/news/local/news02.txt [missoulian.com]
http://www.theinquirer.net/default.aspx?article=8556 [theinquirer.net]
http://yro.slashdot.org/yro/06/06/09/1245212.shtml [slashdot.org]
http://www.wired.com/news/wireservice/0,70500-0.html?tw=wn_index_8 [wired.com]
http://www.boingboing.net/2007/09/12/nsfs-dark-web-projec.html [boingboing.net]
http://yro.slashdot.org/yro/07/03/13/1815204.shtml [slashdot.org]
http://www.treehugger.com/files/2006/06/offgrid_man_jai.php [treehugger.com]
http://www.stallman.org/war-victim.html [stallman.org]
http://usgovinfo.about.com/library/weekly/aa021802a.htm [about.com]
http://www.breitbart.com/news/2006/10/15/061015093636.r5gmx8lm.html [breitbart.com]
http://www.time.com/time/magazine/article/0,9171,1223380,00.html [time.com]
http://www.newscientist.com/blog/technology/2007/04/seeing-through-walls.html [newscientist.com]
http://yro.slashdot.org/yro/07/11/20/1332223.shtml [slashdot.org]
http://www.usatoday.com/tech/news/surveillance/2006-08-06-drones_x.htm [usatoday.com]
http://yro.slashdot.org/yro/06/10/13/1623217.shtml [slashdot.org]
http://www.wired.com/news/privacy/0,1848,67216,00.html?tw=wn_tophead_1 [wired.com]
http://carlbernstein.com/magazine_cia_and_media.php [carlbernstein.com]
http://samba.org/samba/news/articles/low_point/column11.html [samba.org]
http://yro.slashdot.org/yro/07/11/11/131255.shtml [slashdot.org]
http://www.schneier.com/blog/archives/2006/12/tracking_people.html [schneier.com]
http://blogs.salon.com/0002762/stories/2003/12/22/whyIsMarijuanaIllegal.html [salon.com]
http://yro.slashdot.org/yro/06/09/02/0638243.shtml [slashdot.org]
http://yro.slashdot.org/yro/07/12/17/0314218.shtml [slashdot.org]

Note from Hushmail (0)

Anonymous Coward | more than 6 years ago | (#24457147)

The guy who posted on Cryptome checksummed the wrong file. He should have compared the website file (HushEncryptionEngine.jar) against applets/HushEncryptionEngine.jar not HushEncryptionEngine_3-0-0-30.jar.

Snail mail FTW. (0)

ohxten (1248800) | more than 6 years ago | (#24457279)

I use snail mail. It's safer because it's sealed. Snail mail FTW.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?