lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002901c84bd4$687d2100$39776300$@net>
Date: Mon, 31 Dec 2007 10:41:38 -0700
From: "M. Burnett" <mb@...o.net>
To: <bugtraq@...urityfocus.com>
Subject: RE: Re: Cryptome: NSA has real-time access to Hushmail servers

It is important to note that CALEA only applies to telecommunications
services and explicitly exempts information services. Furthermore, there is
this exception:

	(3) ENCRYPTION- A telecommunications carrier shall not be
responsible 
	for decrypting, or ensuring the government's ability to decrypt, any

	communication encrypted by a subscriber or customer, unless the
encryption 
	was provided by the carrier and the carrier possesses the
information 
	necessary to decrypt the communication.

So surely, Hushmail, Guardster, and Safe-Mail would not legally be required
to provide this assistance to the U.S. government. And if they were to allow
users to control encryption they could also protect themselves that way.
While the NSA certainly may have the capabilities to spy (perhaps illegally)
on any network or service provider, the original accusation on cryptome
states that:

1. "Hushmail...now fully owned by private entity NSA affiliate..." 
2. "Safe-mail.net...provides mail server info to NSA real time"
3. "NSA contractors have 'bought' full access rights to Guardster..."

However, the anonymous cryptome poster does not provide any evidence,
references, or any other basis for making that claim. Remember that this is
the same anonymous poster who, again without providing any evidence, claims
that the NSA owns 90% of the internet (but didn't include pentagon.mil, and
many .mil, .gov, DISA etc.), and who also claims that Windows is backdoored
using ephemeral TCP ports 1024-1030. Oh and major firewall vendors are in on
it too. There is not even an explanation of how he came up with these
conclusions, we just have to take the word of an anonymous author.

So while this all makes for a good conspiracy (of course they deny it, they
are required by law), we really have no basis to determine if this is in
fact true or not, so we have gained nothing but a lot of noise to clutter
*real* issues.

Spreading rumors such as these is damaging. An analogy: If I really wanted
to break into a particular business, I would first spend several weeks
purposely tripping the alarm. Anyone who has ever owned a faulty alarm
system will agree that after just 3 or 4 false alarms, the system loses
credibility to the point where you are much more likely to view any
subsequent alarms as false alarms. The alarm system is crying wolf.

A year ago we heard accusations that AT&T gave the NSA access to its
network. We all strongly believed it to be true. But if the Internet and
news media had previously been flooded with NSA collaboration conspiracy
theories that just about everyone was working with the NSA, would we have
had more doubts when the story originally broke? I think we would have. Will
we be more skeptical of the next accusation? Surely we will.


Mark Burnett


Refs:
http://cryptome.org/nsa-ip-update15.htm
http://xato.net/bl/2007/12/22/nsa-controls-internet/




> -----Original Message-----
> From: gb@...hates.the.constitution.gov
> [mailto:gb@...hates.the.constitution.gov]
> Sent: Friday, December 28, 2007 3:55 AM
> To: bugtraq@...urityfocus.com
> Subject: Re: Re: Cryptome: NSA has real-time access to Hushmail servers
> 
> Too Guardster Team & Juha-Matti
> 
> 
> Heres the proof.
> 
> 
> U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By U.S.
> law any telecommunications carrier (thats you HushMail) that does
> business in the U.S. shall ensure intercept of all wire and electronic
> communications. So we have two choices, HushMail is telling the truth
> and knowingly breaking U.S. law. Or Hushmail is lying to the public and
> is a legal business in the U.S. The simplest answer is the Hushmail is
> a legal business in the U.S.
> Windows Security
> 
> > http://www.askcalea.net/calea/103.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ