| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Dec 2007 10:41:38 -0700 From: "M. Burnett" <mb@...o.net> To: <bugtraq@...urityfocus.com> Subject: RE: Re: Cryptome: NSA has real-time access to Hushmail servers It is important to note that CALEA only applies to telecommunications services and explicitly exempts information services. Furthermore, there is this exception: (3) ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication. So surely, Hushmail, Guardster, and Safe-Mail would not legally be required to provide this assistance to the U.S. government. And if they were to allow users to control encryption they could also protect themselves that way. While the NSA certainly may have the capabilities to spy (perhaps illegally) on any network or service provider, the original accusation on cryptome states that: 1. "Hushmail...now fully owned by private entity NSA affiliate..." 2. "Safe-mail.net...provides mail server info to NSA real time" 3. "NSA contractors have 'bought' full access rights to Guardster..." However, the anonymous cryptome poster does not provide any evidence, references, or any other basis for making that claim. Remember that this is the same anonymous poster who, again without providing any evidence, claims that the NSA owns 90% of the internet (but didn't include pentagon.mil, and many .mil, .gov, DISA etc.), and who also claims that Windows is backdoored using ephemeral TCP ports 1024-1030. Oh and major firewall vendors are in on it too. There is not even an explanation of how he came up with these conclusions, we just have to take the word of an anonymous author. So while this all makes for a good conspiracy (of course they deny it, they are required by law), we really have no basis to determine if this is in fact true or not, so we have gained nothing but a lot of noise to clutter *real* issues. Spreading rumors such as these is damaging. An analogy: If I really wanted to break into a particular business, I would first spend several weeks purposely tripping the alarm. Anyone who has ever owned a faulty alarm system will agree that after just 3 or 4 false alarms, the system loses credibility to the point where you are much more likely to view any subsequent alarms as false alarms. The alarm system is crying wolf. A year ago we heard accusations that AT&T gave the NSA access to its network. We all strongly believed it to be true. But if the Internet and news media had previously been flooded with NSA collaboration conspiracy theories that just about everyone was working with the NSA, would we have had more doubts when the story originally broke? I think we would have. Will we be more skeptical of the next accusation? Surely we will. Mark Burnett Refs: http://cryptome.org/nsa-ip-update15.htm http://xato.net/bl/2007/12/22/nsa-controls-internet/ > -----Original Message----- > From: gb@...hates.the.constitution.gov > [mailto:gb@...hates.the.constitution.gov] > Sent: Friday, December 28, 2007 3:55 AM > To: bugtraq@...urityfocus.com > Subject: Re: Re: Cryptome: NSA has real-time access to Hushmail servers > > Too Guardster Team & Juha-Matti > > > Heres the proof. > > > U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By U.S. > law any telecommunications carrier (thats you HushMail) that does > business in the U.S. shall ensure intercept of all wire and electronic > communications. So we have two choices, HushMail is telling the truth > and knowingly breaking U.S. law. Or Hushmail is lying to the public and > is a legal business in the U.S. The simplest answer is the Hushmail is > a legal business in the U.S. > Windows Security > > > http://www.askcalea.net/calea/103.html
Powered by blists - more mailing lists