Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cryptome: NSA has real-time access to Hushmail servers

From: John Simpson <jms1 () jms1 net>
Date: Wed, 2 Jan 2008 00:38:07 -0500
On 2007-12-28, at 0555, gb () gb hates the constitution gov wrote:


Too Guardster Team & Juha-Matti

Heres the proof.
U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By U.S. law any telecommunications carrier (thats you HushMail) that does business in the U.S. shall ensure intercept of all wire and electronic communications. So we have two choices, HushMail is telling the truth and knowingly breaking U.S. law. Or Hushmail is lying to the public and is a legal business in the U.S. The simplest answer is the Hushmail is a legal business in the U.S. 

http://www.askcalea.net/calea/103.html
get your facts straight. a "legal business in the U.S." is not the same thing as a "telecommunications carrier". 

you are correct about what section 103 says.
however, read in section 102 (47USC1001), where they define the term "Telecommunications carrier".
subsection (8)(B)(ii) is kinda vague- apparently, if the FCC decides that an email server is a "replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for the purposes of this tile", then anybody who runs an email server would be required to make provisions for government wire-tapping.
so... did the FCC declare email servers to be part of the telephone service, and nobody noticed?
subsection (8)(C)(i) explicitly says that "information services" are NOT included. subsection (6) defines what the term "information services" means... and (6)(B)(iii) sounds like an email server to me.
in addition, subsection (6)(A) seems to indicate that the term "information services" would include encryption and decryption (they are "transforming", after all), which means that they would also NOT be covered under the CALEA law.
so my semi-educated but usually correct guess is that, unless they are providing connectivity to clients, hushmail is not a "telecommunications carrier" and therefore are not required to make any provisions for government monitoring.
if they ARE providing connectivity, that's a totally different story. the fact is that they have your secret key on their server. it may be encrypted so they can't just plain read the key data, and they read the passphrase for that encryption wrapper from a web browser whenever they need to do something with the key. if they WERE considered to be a "telecommunications carrier" and received an order to monitor a user, they could easily change their scripting so that the first time that the user USED their key, the script would decrypt the key itself, and then make a copy of the un-encrypted secret key data, and then de- crypt anything in the user's account.
personally, i wouldn't use hushmail anyway. i prefer PGP/GPG, where the secret key never leaves the computer sitting in front of me. if hushmail didn't have the secret key, then they wouldn't be able to provide any de-crypted information, regardless of whether they can convince a court that hushmail should be considerd a "telecommunications carrier". 

----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <jms1 () jms1 net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------

Attachment: PGP.sig
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: