Don't Trust Hushmail!
Activist | 22.11.2007 10:39 | Technology
Activists who use Hushmail, as a "secure" alternative to Gmail or Yahoo need to think again -- although it is still going to keep your email correspondence obscure to your ISP and any spooks listening in at that level, it's NOT secure -- when Hushmail are asked to hand over data they will: "Hushmail provided 12 CDs of emails in June to U.S. officials" 
http://blog.wired.com/27bstroke6/2007/11/hushmail-to-war.html
http://blog.wired.com/27bstroke6/2007/11/hushmail-to-war.html
It gets worse, that article on Wired goes on to say:
"when the company gets a court order, "we are required to do everything in our power to comply with the law," according to an updated explanation of Hushmail's security.
That everything seems to include sending a rogue Java applet to targeted users that will then report the user's passphrase back to Hushmail, thus giving the feds access to all stored emails and any future emails sent or received."
So, what can activists do?
You could start by studying the latest (updated September 2007) version of the Practical Security Advice for Campaigns and Activists booklet which is attached, see their web site for more info: http://www.activistsecurity.org/
"when the company gets a court order, "we are required to do everything in our power to comply with the law," according to an updated explanation of Hushmail's security.
That everything seems to include sending a rogue Java applet to targeted users that will then report the user's passphrase back to Hushmail, thus giving the feds access to all stored emails and any future emails sent or received."
So, what can activists do?
You could start by studying the latest (updated September 2007) version of the Practical Security Advice for Campaigns and Activists booklet which is attached, see their web site for more info:
http://www.activistsecurity.org/
Activist
Homepage:
http://www.activistsecurity.org/
Additions
Well, for a start
22.11.2007 12:28
Practical Security Advice for Campaigns and Activists should include never ever distributing documents in Micro$oft word format as it's a very well known carrier for macro viruses which can do pretty much anything on your computer they like, maybe logging hushmail passwords etc.
Having just skimmed through this document, it does include this advice which you the poster of the above seem to have ignored:
"On the computer, use simple text editors such as NotePad on Windows, SimpleText on Macs or
emacs/vi on Linux. Big programmes such as Microsoft Word, Lotus Notes, etc often store backups of
your text, and have a variety of issues that you would probably want to avoid, as if your computer
should be stolen, others may find it easier to locate the letters you have created. In fact, we would
recommend that you avoid Micro$oft Word altogether."
I'm sorry to be such a nag as your hushmail info is VERY useful and important, but this security stuff is so critical (for some) and the mistake you made was fundamentally wrong, rather like an innoculation clinic deciding to use some old syringes they found in the gutter.
To be honest, trying to cram the whole subject of computer security into a single page as this document does is absurd. It's a very large and complex subject and and by treating it in such a superficial manner, the authors are likely to make activists feel safe when in fact they are not. Computer security really needs to be properly researched and properly documented in an activist friendly format. Any takers?
I've converted the word doc into a PDF file which is safe to distribute. Suggest other activists replace their word copies with this.
Having just skimmed through this document, it does include this advice which you the poster of the above seem to have ignored:
"On the computer, use simple text editors such as NotePad on Windows, SimpleText on Macs or
emacs/vi on Linux. Big programmes such as Microsoft Word, Lotus Notes, etc often store backups of
your text, and have a variety of issues that you would probably want to avoid, as if your computer
should be stolen, others may find it easier to locate the letters you have created. In fact, we would
recommend that you avoid Micro$oft Word altogether."
I'm sorry to be such a nag as your hushmail info is VERY useful and important, but this security stuff is so critical (for some) and the mistake you made was fundamentally wrong, rather like an innoculation clinic deciding to use some old syringes they found in the gutter.
To be honest, trying to cram the whole subject of computer security into a single page as this document does is absurd. It's a very large and complex subject and and by treating it in such a superficial manner, the authors are likely to make activists feel safe when in fact they are not. Computer security really needs to be properly researched and properly documented in an activist friendly format. Any takers?
I've converted the word doc into a PDF file which is safe to distribute. Suggest other activists replace their word copies with this.
kriptick
Comments
Hide the following 6 comments
Reply to kriptick
22.11.2007 13:33
Don't shoot the messenger, the file uploaded to Indymedia is the same one as on
They claim it is a RTF file, and perhaps it is, but with the wrong file extension, or perhaps not...
If you run strings on the file the only info in there that perhaps shouldn't be is "vincent" (the login of the last person to edit this file?) and "Dell" (was it last edited on a Dell machine?) and "Microsoft Word 10.0" (is that the version it was last edited using?).
> Computer security really needs to be properly researched and properly documented in an activist friendly format.
Agreed.
Activist
sorry messenger
22.11.2007 14:17
Ye Gods! Sorry messenger. In that case maybe everyone should rip up that document without reading it. If the authors so clearly ignore their own advice like that then they should apply for jobs straightaway at the home office or HMRC.
kriptick
Plausible Deniabilty
22.11.2007 19:16
For instance, this
Danny
Homepage:
http://www.truecrypt.org/docs/?s=plausible-deniability
IM not really such a good source of "best practices"?
22.11.2007 23:13
link you give contains 36 responses. Some of them trolls, some inane comments and just a very few contain brief tech advice - maybe good. But you can't really expect your average activist to make much sense of such a chaotic jumble. Things need to be spelled out much more clearly. Until someone does come up with such up-to-date info in an understandable format, the best advice to anyone who is confused by all this is not to use a computer for anything dodgy. In these times of rapidly declining freedoms, it could be your undoing.
kriptick
lol
23.11.2007 00:25
old school
Best practices are mostly too late, responsive
23.11.2007 00:36
Many responses to many articles are rubbish. Some are deliberate disinformation. Every reader / contributor is facing a 'pick'n'chose' situation
"Things need to be spelled out much more clearly."
I agree and disagree. I think you have to investigate more for yourself if you want to progress. I think there is no point in putting a 'best practice' manual - such a thing is self-defeating unless passed hand to hand. Instead when a certain activist has proven a certain competence, then you should introduce them to new skills. I published the TrueCrypt stuff simply as the more people who do it, the better for everybody. Most sensitive cutting edge stuff I wouldn't publish here or anywhere unless I knew it didn't affect me or mine.
"Until someone does come up with such up-to-date info in an understandable format, the best advice to anyone who is confused by all this is not to use a computer for anything dodgy."
Yes, precisely. Although, if it isn't dodgy to you or anyone that you love then don't worry too much.
Danny