| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <C714D78E-7955-42C6-8C5B-03A5D02B2714@jms1.net>
Date: Wed, 2 Jan 2008 00:38:07 -0500
From: John Simpson <jms1@...1.net>
To: bugtraq@...urityfocus.com
Subject: Re: Cryptome: NSA has real-time access to Hushmail servers
On 2007-12-28, at 0555, gb@...hates.the.constitution.gov wrote:
>
> Too Guardster Team & Juha-Matti
>
> Heres the proof.
>
> U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By
> U.S. law any telecommunications carrier (thats you HushMail) that
> does business in the U.S. shall ensure intercept of all wire and
> electronic communications. So we have two choices, HushMail is
> telling the truth and knowingly breaking U.S. law. Or Hushmail is
> lying to the public and is a legal business in the U.S. The simplest
> answer is the Hushmail is a legal business in the U.S.
>
> http://www.askcalea.net/calea/103.html
get your facts straight. a "legal business in the U.S." is not the
same thing as a "telecommunications carrier".
you are correct about what section 103 says.
however, read in section 102 (47USC1001), where they define the term
"Telecommunications carrier".
subsection (8)(B)(ii) is kinda vague- apparently, if the FCC decides
that an email server is a "replacement for a substantial portion of
the local telephone exchange service and that it is in the public
interest to deem such a person or entity to be a telecommunications
carrier for the purposes of this tile", then anybody who runs an email
server would be required to make provisions for government wire-tapping.
so... did the FCC declare email servers to be part of the telephone
service, and nobody noticed?
subsection (8)(C)(i) explicitly says that "information services" are
NOT included. subsection (6) defines what the term "information
services" means... and (6)(B)(iii) sounds like an email server to me.
in addition, subsection (6)(A) seems to indicate that the term
"information services" would include encryption and decryption (they
are "transforming", after all), which means that they would also NOT
be covered under the CALEA law.
so my semi-educated but usually correct guess is that, unless they are
providing connectivity to clients, hushmail is not a
"telecommunications carrier" and therefore are not required to make
any provisions for government monitoring.
if they ARE providing connectivity, that's a totally different story.
the fact is that they have your secret key on their server. it may be
encrypted so they can't just plain read the key data, and they read
the passphrase for that encryption wrapper from a web browser whenever
they need to do something with the key. if they WERE considered to be
a "telecommunications carrier" and received an order to monitor a
user, they could easily change their scripting so that the first time
that the user USED their key, the script would decrypt the key itself,
and then make a copy of the un-encrypted secret key data, and then de-
crypt anything in the user's account.
personally, i wouldn't use hushmail anyway. i prefer PGP/GPG, where
the secret key never leaves the computer sitting in front of me. if
hushmail didn't have the secret key, then they wouldn't be able to
provide any de-crypted information, regardless of whether they can
convince a court that hushmail should be considerd a
"telecommunications carrier".
----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <jms1@...1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------
Download attachment "PGP.sig" of type "application/pgp-signature" (187 bytes)
Powered by blists - more mailing lists