Don't Trust Hushmail!
Activist | 22.11.2007 10:39 | Technology
Activists who use Hushmail, as a "secure" alternative to Gmail or Yahoo need to think again -- although it is still going to keep your email correspondence obscure to your ISP and any spooks listening in at that level, it's NOT secure -- when Hushmail are asked to hand over data they will: "Hushmail provided 12 CDs of emails in June to U.S. officials" 
http://blog.wired.com/27bstroke6/2007/11/hushmail-to-war.html
http://blog.wired.com/27bstroke6/2007/11/hushmail-to-war.html
It gets worse, that article on Wired goes on to say:
"when the company gets a court order, "we are required to do everything in our power to comply with the law," according to an updated explanation of Hushmail's security.
That everything seems to include sending a rogue Java applet to targeted users that will then report the user's passphrase back to Hushmail, thus giving the feds access to all stored emails and any future emails sent or received."
So, what can activists do?
You could start by studying the latest (updated September 2007) version of the Practical Security Advice for Campaigns and Activists booklet which is attached, see their web site for more info: http://www.activistsecurity.org/
"when the company gets a court order, "we are required to do everything in our power to comply with the law," according to an updated explanation of Hushmail's security.
That everything seems to include sending a rogue Java applet to targeted users that will then report the user's passphrase back to Hushmail, thus giving the feds access to all stored emails and any future emails sent or received."
So, what can activists do?
You could start by studying the latest (updated September 2007) version of the Practical Security Advice for Campaigns and Activists booklet which is attached, see their web site for more info:
http://www.activistsecurity.org/
Activist
Homepage:
http://www.activistsecurity.org/
Additions
Well, for a start
22.11.2007 12:28
Practical Security Advice for Campaigns and Activists should include never ever distributing documents in Micro$oft word format as it's a very well known carrier for macro viruses which can do pretty much anything on your computer they like, maybe logging hushmail passwords etc.
Having just skimmed through this document, it does include this advice which you the poster of the above seem to have ignored:
"On the computer, use simple text editors such as NotePad on Windows, SimpleText on Macs or
emacs/vi on Linux. Big programmes such as Microsoft Word, Lotus Notes, etc often store backups of
your text, and have a variety of issues that you would probably want to avoid, as if your computer
should be stolen, others may find it easier to locate the letters you have created. In fact, we would
recommend that you avoid Micro$oft Word altogether."
I'm sorry to be such a nag as your hushmail info is VERY useful and important, but this security stuff is so critical (for some) and the mistake you made was fundamentally wrong, rather like an innoculation clinic deciding to use some old syringes they found in the gutter.
To be honest, trying to cram the whole subject of computer security into a single page as this document does is absurd. It's a very large and complex subject and and by treating it in such a superficial manner, the authors are likely to make activists feel safe when in fact they are not. Computer security really needs to be properly researched and properly documented in an activist friendly format. Any takers?
I've converted the word doc into a PDF file which is safe to distribute. Suggest other activists replace their word copies with this.
Having just skimmed through this document, it does include this advice which you the poster of the above seem to have ignored:
"On the computer, use simple text editors such as NotePad on Windows, SimpleText on Macs or
emacs/vi on Linux. Big programmes such as Microsoft Word, Lotus Notes, etc often store backups of
your text, and have a variety of issues that you would probably want to avoid, as if your computer
should be stolen, others may find it easier to locate the letters you have created. In fact, we would
recommend that you avoid Micro$oft Word altogether."
I'm sorry to be such a nag as your hushmail info is VERY useful and important, but this security stuff is so critical (for some) and the mistake you made was fundamentally wrong, rather like an innoculation clinic deciding to use some old syringes they found in the gutter.
To be honest, trying to cram the whole subject of computer security into a single page as this document does is absurd. It's a very large and complex subject and and by treating it in such a superficial manner, the authors are likely to make activists feel safe when in fact they are not. Computer security really needs to be properly researched and properly documented in an activist friendly format. Any takers?
I've converted the word doc into a PDF file which is safe to distribute. Suggest other activists replace their word copies with this.
kriptick
Comments
Display the following 6 comments