Poulsen, Kevin Wednesday, November 07, :54 PM Singel, Ryan FW: [hush.com # ] Journalist's query

Similar documents
Happy to chat about this, however the final authority id Management however he would probably seek our advice on the content anyway.

October Dear Clients of Exceptional Bear: Re: security issues

PROFESSOR: Last time, we took a look at an explicit control evaluator for Lisp, and that bridged the gap between

Register FAQ Calendar Today's Posts Search

Introduction to JavaScript and the Web

KIK s GUIDE FOR LAW ENFORCEMENT

P1_L3 Operating Systems Security Page 1

The Activist Guide to Secure Communication on the Internet. Introduction

Introducing the Employment Law Exams

Hello, and welcome to another episode of. Getting the Most Out of IBM U2. This is Kenny Brunel, and

Security seminar topics Aleksei Gorny

MITOCW watch?v=flgjisf3l78

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Tim moves to accept, Chris Z seconds. No objections or comments.

Post Experiment Interview Questions

Privacy & Cookie Statement

Intro. So, let s start your first SMS marketing legalese class!

Technology Safety Quick Tips

Instructor (Mehran Sahami):

SUPERIOR COURT OF THE DISTRICT OF COLUMBIA CRIMINAL DIVISION FELONY BRANCH

Long Filename Specification

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Brief to the House of Commons Standing Committee on Industry, Science and Technology on the review of Canada s Anti-Spam Legislation.

How To Construct A Keyword Strategy?

Skill 1: Multiplying Polynomials

The Center for Affiliated Learning ( the CAL ) Privacy Policy

Full Court Press: Getting the Press to Write About your App!

Meet our Example Buyer Persona Adele Revella, CEO

The Stack, Free Store, and Global Namespace

Digital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience

Who am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration

mid=81#15143

CODE MAROON TEST SEPT. 30, 2011 SURVEY RESULTS

REALTORS LEGAL ALERT

CSE143 Notes for Monday, 4/25/11

Good afternoon and thank you for being at the webinar on accessible PowerPoint presentations. This is Dr. Zayira Jordan web accessibility coordinator

It s still very important that you take some steps to help keep up security when you re online:

Bellevue job Don C Burdick to: Ted A Carlson

Case 1:18-cr TSE Document 2 Filed 06/20/18 Page 1 of 9 PageID# 2 IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA

Module 6. Campaign Layering

Lesson 4: Who Goes There?

MITOCW watch?v=qota76ga_fy

4 having been first duly sworn, testified as follows: 6 Q. (BY MS. REYNA) Good afternoon, Officer. 7 Could you please introduce yourself to our jury?

Windows Script Host Fundamentals

CS103 Handout 50 Fall 2018 November 30, 2018 Problem Set 9

How to Write a Proper Business Letter

Obtained by Judicial Watch, Inc. via FOIA

A Double Edged Sword. December 10, Originally published March 15, 1996 in Web Review magazine.

A PROGRAM IS A SEQUENCE of instructions that a computer can execute to

It Might Be Valid, But It's Still Wrong Paul Maskens and Andy Kramek

e180 Privacy Policy July 2018

Balanced BST and AVL Trees

Double Your Affiliate Commissions with this VERY Simple Strategy

IACA Discussion List Guidelines, Use and Subscription Management

Defining Done in User Stories

User's Manual. Intego ChatBarrier X3 User's Manual Page 1

2007 chee kong ow yong ( all rights reserved. VPS Guide for MT4. (version 1.0) by ckowyong.com, 30 september 2007.

What's New. Version 9.2 release. Campground Master Contents 1. Contents. A couple quick reminders:

STAUNING Credit Application Internet Sales Process with /Voic Templates to Non-Responsive Prospects 2018 Edition

OOoCon Marketing OpenOffice.org. by Nick Richards On rendezvous. Right here, right now.

CS144 Final Review. Dec 4th, 2009 Tom Wiltzius

BassAce Midi Synth old forum topics 1 of 6. here are some (minor) errors i found on the bassace documentation.

ECA Trusted Agent Handbook

Table of Contents. Part 1 Postcard Marketing Today Brief History of Real Estate Postcards Postcard Marketing Today...

FACEBOOK SAFETY FOR JOURNALISTS. Thanks to these partners for reviewing these safety guidelines:

Guide to Installing Fldigi and Flmsg with Red Cross Templates

IACA Discussion List. About the IACA Discussion List. Guidelines, use and subscription management

DEPOSITION OF DOT THOMAS by Brian Korte

2016 All Rights Reserved

The following content is provided under a Creative Commons license. Your support

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Manual Updating To Ios 7 Ipad 3 Not Working

Notes to Accompany Debugging Lecture. Jamie Blustein

Michael Phelps Foundation: Privacy Policy

Q2 How many attorneys practice at the firm, organization, agency or department, or other entity you listed above?

Sending s With Sendmail - Part 2

MITOCW watch?v=yarwp7tntl4

How Do I Lock My Iphone 4 Screen While On A Call

PRIVACY POLICY Let us summarize this for you...

On 26 Jul 2011, at 19:15, Rory McCune wrote:

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Information Security Incident Response Plan

H O W T O I N S T R U C T Y O U R NEW USERS GUIDE TO INSTRUCTING PROCESS SERVER

Network Working Group Request for Comments: 1984 Category: Informational August 1996

Register FAQ Calendar Today's Posts Search

Register FAQ Calendar Today's Posts Search

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

On Mon, Sep 28, 2015 at 5:01 PM, Sams, Savannah wrote:

I just left you a long-winded message about this issue. Can you please call me after you read the below ? Thank you.

Tips from the experts: How to waste a lot of time on this assignment

1 LOGGING IN REQUEST A SUB (from the calendar) REQUEST A SUB (from Line Listing) ACCEPTING AN INVITATION TO BE A SUB...

Monette Garcia AT&T Senior Sales Executive - Fiber Solutions Wireless: Beech Ave McAllen, TX 78501

WHITE PAPER. Authentication and Encryption Design

(Photos and Instructions Based on Microsoft Outlook 2007, Gmail, Yahoo! Mail, and Hotmail)

etiquette rules for effective replies

Why you should never ask favors from a graphic designer:

How to Improve Your Campaign Conversion Rates

Hi Bob, I got this from my colleagues near the end of last week and unfortunately lost track of it in my inbox to send you.

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Part 1: Information Security for City Governments; Defining e-discovery

Transcription:

Singel, Ryan From: Sent: To: Subject: Poulsen, Kevin Wednesday, November 07, 2007 1:54 PM Singel, Ryan FW: [hush.com #2012168] Journalist's query -----Original Message----- From: Brian Smith [mailto:sbs@hushmail.com] Sent: Wednesday, November 07, 2007 1:40 PM To: Poulsen, Kevin Subject: RE: [hush.com #2012168] Journalist's query Hi Kevin, Sorry, I've been really busy the past couple of days. However, I've collected some info from our internal counsel that hopefully will make things a bit clearer. Like any company doing this sort of thing for a long time, we've had to deal with quite a few requests from law enforcement. In these situations, we always require that a court order be issued, and that court order must be issued by the Supreme Court of British Columbia. For such an order to be issued in respect of a request where the alleged offenses have not occurred in Canada, a formal request must be made to the government of Canada under an applicable Mutual Legal Assistance Treaty by the country in which the requesting law enforcement agency is located. Assuming the government of Canada accepts the request, or if the alleged offense has occurred in Canada, an application is then made by the Department of Justice to the Supreme Court of British Columbia for an order that Hush be required to provide certain information. That application must be supported by Affidavit evidence such that the presiding Judge determines that an offense has occurred and that Hush has evidence of same. We receive many requests for information from law enforcement authorities, including subpoenas, but on being made aware of the requirements, a large percentage of them do not proceed. To date, we have not challenged a court order in court, as we have made it clear that the court orders that we would accept must follow our guidelines of requiring only actions that can be limited to the specific user accounts named in the court order. That is to say, any sort of requirement for broad data collection would not be acceptable. There's been some discussion about Hushmail in this context on the web lately, and I think it's a healthy thing. There are situations where Hushmail is an appropriate tool and situations where is not. It is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order. That's also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order. Yes, you are right about the fact that view source is not going to reveal anything about the compiled Java code. However, it does reveal the HTML in which the applet is embedded, and whether the applet is actually being used at all. Anyway, I meant that just as an example. The general point is that it is potentially detectable by the end-user, even though it is not practical to perform this operation every time. This means that in Java mode the level of trust the user must place in us is somewhat reduced, although not eliminated. The extra security given by the Java applet is not particularly relevant, in the practical sense, if an individual account is targeted. However, it makes it less necessary to take us at our word when we say we do not do any broad collection of private user data. The issues with applet verification were pointed out by Schneier back when Hushmail originally came out. http://www.schneier.com/essay-191.html 1

Regards, Brian On Wed, 07 Nov 2007 09:44:04-0800 "Poulsen, Kevin" <Kevin_Poulsen@wired.com wrote: Hi Brian, I want to make sure you didn't send me a reply to this message that I missed. I think we're going to write up something on this issue. K -----Original Message----- From: Poulsen, Kevin Sent: Monday, November 05, 2007 11:16 AM To: 'Brian Smith' Subject: RE: [hush.com #2012168] Journalist's query Speaking generally, and not specifically about the affidavit I sent you, it seems like if Hushmail can be compelled by legal process to actively capture a private key, you could also be compelled to send a user a modified version of your Java applet that would send the user's private key to Hushmail or a law enforcment agency. Unless I'm missing something, "view source" wouldn't help a user against this type of attack, since the tinkering would be done in the compiled Java code. Are you free to say whether you've been obliged to do this, and if so, how often. And have you challenged in court an order compelling the collection and production of private keys? Kevin Poulsen senior editor -- wired news office: +1 415 276-8411 mobile: +1 415 652-2725 klp@wired.com -----Original Message----- From: Brian Smith [mailto:sbs@hushmail.com] Sent: Monday, November 05, 2007 10:53 AM To: Poulsen, Kevin Subject: RE: [hush.com #2012168] Journalist's query Kevin, Yes, you are right. That's why in the matrix on that help page it shows "Not protected" for "Attacker controls webserver while you are accessing your email". That actually goes for Java and non-java, with the difference being that in Java mode, what the attacker does is potentially detectable by the user (via view source in the browser). For this reason a web-based email service is never going to reach the rigorous level of security of an entirely client-based solution like GnuPG. However, the attack required to get encrypted messages from Hushmail is significantly more difficult than simply recovering messages from a server hard drive. Brian 2

On Mon, 05 Nov 2007 10:13:57-0800 "Poulsen, Kevin" <Kevin_Poulsen@wired.com wrote: Thanks again Brian for your quick response. I just want to make sure I understand this correctly. Is the case of the non-java user, it sounds the only option available to an attacker would require that someone reconfigure your servers to store the user's private key during the brief time that it's unencrypted. In other words, if an attacker gains access to your servers they still can't access the content of my e-mail -- until I next log in. Then everything I've received, or subsequently receive, is compromised. K -----Original Message----- From: Brian Smith [mailto:sbs@hushmail.com] Sent: Monday, November 05, 2007 9:38 AM To: Poulsen, Kevin Subject: RE: [hush.com #2012168] Journalist's query Hi Kevin, I can't comment specifically on the affidavit, but I can clear up your questions about the architecture. The only way to decrypt encrypted Hushmail messages stored on our servers is with the private keys associated with the senders and recipients of those messages, and the only way to access those private keys is with the associated passphrases. Since early 2006, Hushmail can run in a couple of different configurations, which provide different balances of usability and security. One uses a Java applet, one does not. These links give a pretty full explanation of the different levels of security between the two version: https://www.hushmail.com/hushmail/showhelpfile.php?file=compatibil i t y/java/index.html http://www.hushmail.com/help-faqs2#accesstopassphrase http://www.hushmail.com/help-faqs2#accesstoprivatekey The key point, though, is that in the non-java configuration, private key and passphrase operations are performed on the server- side. This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet. 3

This might clarify things a bit when you are considering what actions we might be required to take under a court order. Again, I stress that our requirement in complying with a court order is that we not take actions that would affect users other than those specifically named in the order. BTW, if you have an older Hushmail account yourself, it may not have the non-java option available. If that's the case, I can switch that on for you. Regards, Brian On Thu, 01 Nov 2007 12:59:23-0800 "Poulsen, Kevin" <Kevin_Poulsen@wired.com wrote: Hi Brian, Thanks for your reply on this. I have a related question. This law enforcement affidavit (below) in a steroid sales case indicates that the police obtained, not just the IP addresses of users, but the actual content of mail sent to and from three separate Hushmail accounts. I understand that you have to comply with legal process, but I thought that Hushmail's architecture made it impossible for anybody, including your company, to access e-mails' contents. Is that wrong? http://static.bakersfield.com/smedia/2007/09/25/15/steroids.sourc e. prod_ affiliate.25.pdf K Kevin Poulsen senior editor -- wired news office: +1 415 276-8411 mobile: +1 415 652-2725 klp@wired.com -----Original Message----- From: Brian Smith [mailto:sbs@hushmail.com] Sent: Wednesday, September 19, 2007 12:10 PM To: Poulsen, Kevin Subject: [hush.com #2012168] Journalist's query Hi Kevin, Our policy is that we only release user information under court order from a court of British Columbia. 4

(http://www.hushmail.com/help-faqs#courtorder) When a US agency requires information, they have to work in co- operation with Canadian authorities. While I'm not legal counsel, I believe that most of this is handled through the Mutual Legal Assistance (MLAT) process. From our perspective, the end result is always a Canadian court order. We comply fully with Canadian court orders, so long as they apply to specifically identified accounts as opposed to broad data collection. If you need any more info, let me know. Brian Smith CTO Hush Communications Corporation https://www.hushmail.com sbs@hushmail.com (604) 685-6937 ext 222 On Wed Sep 19 00:09:10 2007, klp@wired.com wrote: Hi Hushmail. I'm working on a story about Max Butler, a hacker who was recently indicted for a bunch of credit card related stuff in the U.S. It turns out U.S. law enforcment traced Butler through his Hushmail account. A U.S. Secret Service affidavit says "Secret Service has obtained Internet Protocol (IP) connection logs for the email account, digits@hush.com. On multiple occasions, the account was accessed from a computer assigned the IP addresses 207.234.185.134," etc. I'm just wondering what steps the Secret Service goes to in order to get information like that, given that you're located in Canada. Thanks in advance! Kevin Poulsen senior editor - wired news office: +1 415 276-8411 mobile: +1 415 652-2725 klp@wired.com 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback