Forgot your password?
typodupeerror
Security Privacy Communications Encryption United States

Hushmail Passing PGP Keys to the US Government 303

Posted by Zonk
from the this-would-be-nonoptimal dept.
teknopurge writes "Apparently Hushmail has been providing information to law enforcement behind the backs of their clients. Billed as secure email because of their use of PGP, Hushmail has been turning over private keys of users to the authorities on request. 'DEA agents received three CDs which contained decrypted emails for the targets of the investigation that had been decrypted as part of a mutual legal assistance treaty between the United States and Canada. The news will be embarrassing to the company, which has made much of its ability to ensure that emails are not read by the authorities, including the FBI's Carnivore email monitoring software.'"
This discussion has been archived. No new comments can be posted.

Hushmail Passing PGP Keys to the US Government

Comments Filter:
  • by kaufmanmoore (930593) on Saturday November 17, 2007 @02:32PM (#21391169)
    the authorise overlords
  • Goodbye Market! (Score:5, Insightful)

    by Fallen Seraph4 (1186821) on Saturday November 17, 2007 @02:33PM (#21391187)
    I really hope that they go out of business for this. I mean they extremely deserve it. I know that they probably didn't have much of a choice to hand over the keys, but to continue advertising such security... That's not cricket.
    • by wurp (51446)
      I have used Hushmail for ages, and it is entirely secure. These users did something foolish - they demanded, then got, then used a "more convenient" version of Hushmail that did the encryption on the server instead of on the client.

      Standard Hushmail downloads (& caches) an applet on your computer that encrypts & decrypts your private key with your passphrase. Only the encrypted private key is stored on Hushmail servers, and your email encrypted with the public key. They don't give your decrypted
      • by Anonymous Coward on Saturday November 17, 2007 @03:22PM (#21391503)
        That may all be well and good, but the fact of the matter is that the design of Hushmail is flawed.

        You never give your private key away to anyone ever. Period. Giving Hushmail a weakly encrypted private key is fishy to start with, but then entering the passphrase to decrypt it in a Hushmail controlled applet is just stupid.

        And it's completely unnecessary because there are very good encryption utilities in existence and it's very trivial to set up a system that is a thousand times more secure than Hushmail. How about Debian + KMail + GnuPG? You don't trust Debian enough, because it's a binary distro and who knows what they secretly put in there? Use Gentoo.

        Perhaps the tinfoil hat crowd will say things like "but there might be a backdoor in your hardware", but Hushmail wouldn't save you from that. And let's be honest here: no one really believes that anyway.

        You may have thought yourself very witty when writing that penultimate paragraph, but the fact of the matter is that in today's world you can actually be as good as sure.
        • Re: (Score:3, Insightful)

          by rm999 (775449)
          The users demanded a less secure method because it was more convenient. They got what they asked for. Hushmail made it very clear in the process that they were giving up security, and the users still wanted it. We should be blaming the users for ruining Hushmail's reputation, not Hushmail for following the law.
      • Re: (Score:3, Interesting)

        by julesh (229690)
        Of course, with the applet they could give you a new one that sends them the decrypted key - I'm not sure of the legality of them doing so, even with a court order.

        If I were them, I'd wipe the private key that's used to sign the applet. That way, if they're ever forced to do this, they'd have to use a different signing certificate, and the users (at least those who had checked the 'always trust applets from Hush Communications' checkbox the first time they signed in) would get an unexpected security dialog
      • by hpavc (129350)
        I disbelieve .... "Hushmail gives you precisely as much security as they possibly can, and no more." is meaningless when they fail to share that they have a policy of going turn coat on you. Billing yourself as a oasis when its a mirage is more like it.
      • by badfish99 (826052) on Saturday November 17, 2007 @04:07PM (#21391853)
        Hushmail gives you precisely as much security as they possibly can, and no more.

        I don't know much about Hushmail, but I looked at their website, and they seem to want about $50 per year for what is basically GPG, and therefore available free. Except that, since java applets are downloaded from the server, there's no way to be sure that what you're actually running is what they claim that you are running, so their system might have all sorts of insecurities and backdoors, even if their source code looks OK. So they might give you as much security as they can, or they might be a bunch of cowboys. How do you tell? I certainly wouldn't trust them with my secrets.
  • Alternatives? (Score:5, Insightful)

    by InvisblePinkUnicorn (1126837) on Saturday November 17, 2007 @02:34PM (#21391189)
    What alternatives are there besides Hushmail?
    • Re:Alternatives? (Score:5, Insightful)

      by John Hasler (414242) on Saturday November 17, 2007 @02:40PM (#21391221) Homepage
      > What alternatives are there besides Hushmail?

      GPG works fine.
      • Re: (Score:3, Informative)

        by DustyShadow (691635)
        GPG + the Thunderbird GPG plugin works perfectly.
        • Re: (Score:3, Insightful)

          by legirons (809082)
          Except that the government can [theregister.co.uk] put you in prison for trying to keep a secret from them

          how ironic, a fascist government in the UK. Good thing all the WW2 veterans are dead, so they didn't have to see it...

    • Re:Alternatives? (Score:5, Insightful)

      by Bert64 (520050) <bert AT slashdot DOT firenzee DOT com> on Saturday November 17, 2007 @02:41PM (#21391225) Homepage
      If you want encrypted mail, run the encryption yourself... GPG is freely available. Then it doesn't matter via which service you transmit the mail.
      • If you want encrypted mail, run the encryption yourself... GPG is freely available.
        I don't know anything about "HushMail", but I assume it has some kind of Web interface? Are there any alternatives for people that must use Web mail (for example on the road a lot)? Could some type of encryption program be carried on a USB drive that might translate the message locally into code?
        • Re:Web Mail (Score:5, Insightful)

          by N7DR (536428) on Saturday November 17, 2007 @03:32PM (#21391587) Homepage
          Are there any alternatives for people that must use Web mail

          FireGPG. I haven't used it, but the blurb seems to indicate that that does the trick, at least for gmail.

        • by Nasarius (593729)
          I concur with FireGPG. USB key drives of 2GB and larger are dirt cheap these days, so just install your fully-customized version of Firefox on one, if you're using many unconnected computers. Thunderbird/Enigmail is even better if you're using Gmail, especially now that they offer IMAP.
        • by hairyfeet (841228)
          here you go-http://www.portablefreeware.com/?q=encryption&m=Search plenty of USB portable apps to encrypt, including blowfish.
    • Re: (Score:2, Insightful)

      by Bieeanda (961632)
      Exchanging keys the old-fashioned way, maybe? This seems to be the perfect example of why convenience and security are ultimately mutually exclusive.
    • Re: (Score:3, Interesting)

      by Zonk (troll) (1026140)
      FireGPG? [tuxfamily.org]. Quoting the website:

      "FireGPG is a Firefox extension under GPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG. FireGPG adds an contextual menu to access to some useful functions. We will support some webmails. Currently, only Gmail is supported (some useful buttons are added in the interface of this webmail!)."

      I haven't used it or Hushmail*, but it looks interesting. It does lack the portability, though. Maybe it could be made to
    • Re:Alternatives? (Score:5, Insightful)

      by drix (4602) on Saturday November 17, 2007 @04:31PM (#21392003) Homepage
      FireGPG. It frikkin sticks buttons onto the Gmail UI for sign, encrypt, decrypt, verify, etc. Doesn't get much easier than that folks.

      BTW as rummy as this story is, it's also a good sign that the Feds doesn't possess some magical method of factoring enormous primes that they're not telling anyone about.
      • Re: (Score:3, Interesting)

        by buzzdecafe (583889)
        >> the Feds doesn't possess some magical method of factoring enormous primes

        Hmmm. I have a method for factoring any prime, enormous or not. Here it is:

        For any prime p, the factorization of p = p * 1

        Now excuse me while I run to the patent office.

      • Re: (Score:3, Insightful)

        by Deanalator (806515)
        "... a good sign that the Feds doesn't possess some magical method of factoring enormous primes that they're not telling anyone about."

        These are Canadian feds :-) Even in the US, only a few get access to the code cracking mountains. Not that it would take much, as you can silently hijack any ssl connection with a single cracked verisign/thawte key. Then you win the internet :-)

        Also, on a side note, prime numbers are the easiest numbers to factor :-p
      • Re: (Score:3, Interesting)

        by instarx (615765)
        BTW as rummy as this story is, it's also a good sign that the Feds doesn't possess some magical method of factoring enormous primes that they're not telling anyone about.

        Ha ha, the more things change the more they stay the same. Say what you will about them, but the NSA is *very* good at keeping secrets. Sure, because they've asked for the keys it might make you think they don't have the ability to read the emails without them, but asking for the keys is exactly what they would do to keep the secret. If t
      • Re: (Score:3, Funny)

        by rpillala (583965)

        I hope no one's figured out a way to factor any primes. I've gotten used to the job security of being a math teacher :)

    • Re:Alternatives? (Score:5, Insightful)

      by Niten (201835) on Saturday November 17, 2007 @06:46PM (#21393021)

      What alternatives are there besides Hushmail?

      This isn't meant as one of those haughty, holier-than-thou remarks that it might initially sound like: The best solution is to run your mail user agent yourself, on your own hardware. Really.

      These days it's easy to find an old PC or Mac / Soekris box / Linksys router and install OpenBSD or Linux on it. Then you not only have a more powerful and secure router than you started out with, you also have a general-purpose Unix server at your disposal; set up a free dynamic DNS account from DynDNS.com [dyndns.com] or the likes (in conjunction with the ddclient update script from the OpenBSD ports tree or Debian repositories) and OpenSSH, and you have a secure and efficient way to log into this system from anywhere on the public Internet. That's one step away from a remote access mail client with far greater security than any web-based company will provide you.

      A few pointers:

      • Set up daily, automatic backups of your mail folders with rsync! Don't lose your mail.
      • You'll need a command-line mail user agent so that you can access all this by SSH. Mutt is my favorite, but others swear by Pine or the Emacs client.
      • You can use msmtp to relay, and fetchmail to download, your messages from a remote server; or you can set up your own mail service if your ISP allows it. Consider using procmail to sort incoming messages.
      • Configure S/KEY passwords on your home server: this way you can login from a somewhat untrusted client, yet rest assured that your password cannot be surreptitiously cached and used again.
      • Access your mail on the server as a non-wheel user. Now even if somebody does compromise that account (a risk that is, in my opinion, far lower than the risk taken in using web-based systems), they will not have immediate control over the entire system.
      • Carry Putty [greenend.org.uk] around with you on your USB memory device, in case you need to login from a Windows client. Putty is much smaller and more manageable than keeping your own personal copy of Firefox, and it will happily run from the USB stick without any installation or modification required.
      • Install GPG on the server and import your keyrings.

      This approach has a number of advantages over using any third-party web based system. The most obvious one is that in this configuration, GPG runs entirely on the server, keeping your encryption keys safe from untrusted clients. Also, because you are not using a web application, this system is immune to CSRF and XSS attacks. And OpenSSH offers a wide variety of authentication options, many of them far more secure in real-world scenarios than the simple username/password schemes implemented by most web apps.

      Real information security takes real work, and as Hushmail has so kindly demonstrated for us, it isn't sound to exclude your own hosting company from your threat analysis. Why not simplify things and host part of your mail system yourself - the part that matters, where your encryption keys are stored and your messages are cached. Sure, it won't protect you from every vector of attack; but if your system does get attacked, it will be much more difficult for the attacker to do so entirely behind your back.

      I'm not claiming that such a setup is for everyone. But if you want better security than what Hushmail was able to provide, this is what you need to do. If this is more work than you're willing to put in, it important to realize what you're giving up, and that there are no vastly "better alternatives" in the web-based secure email cottage industry. Or in other words: if you want something done right, do it yourself.

  • by Valdrax (32670) on Saturday November 17, 2007 @02:34PM (#21391191)
    I guess this is a brief lesson in why one should never fully trust the encryption of your private materials to a third party.
  • by WK2 (1072560) on Saturday November 17, 2007 @02:34PM (#21391195) Homepage
    There are several facts missing from the article:

    1) Was there a court order? Or Canadian equivalent?
    2) Did hushmail lie? The obviously commited willful deception, but did they outright lie?
    3) Did hushmail violate it's TOS?
    4) Did hushmail do anything illegal?

    Of course, what the article did mention is important, especially to hushmail, and potential hushmail users. However, it would have been nice if they had dug a little bit to answer these obvious questions.
    • by Albanach (527650) on Saturday November 17, 2007 @02:49PM (#21391285) Homepage
      The Register ran an article on this last week. From their piece:


      US federal law enforcement agencies have obtained access to clear text copies of encrypted emails sent through Hushmail as part a of recent drug trafficking investigation.

      The access was only granted after a court order was served on Hush Communications, the Canadian firm that offers the service.

      Hush Communications said it would only accede to requests made in respect to targeted accounts and via court orders filed through Canadian court.

    • Re: (Score:2, Informative)

      by e9th (652576)
      From their FAQ [hushmail.com].
    • by bcrowell (177657) on Saturday November 17, 2007 @03:07PM (#21391417) Homepage
      The Wikipedia article [wikipedia.org] has a bunch of good references. The slashdot summary seems to be incorrect in some of its particulars. If you read the various articles, none of them seem to say that hushmail turned over private keys. They turned over cleartext of messages. Yes, there was a court order (see the more recent wired article). No, hushmail doesn't seem to have lied to their users in general -- the wired article praises them for their honesty -- but they do seem to have put a strong marketing spin on the lack of real security in the JS implementation of their service (as opposed to the original, more secure Java applet, in which the private keys never left the client machine).
    • by justzisguy (573704) on Saturday November 17, 2007 @03:08PM (#21391421)
      This is all old news that was spelled out in a much more detailed article on Wired [wired.com] last week. To subvert those that don't RTFA, I'll answer your questions here on /.:
      1. Hushmail was served with a court order issued by the British Columbia Supreme Court (the Feds in Bakersfield, CA had to forward their request to the Canadian government)
      2. Hushmail glosses over the vulnerability to private key capture in their non-Java based web client, but it is mentioned. The Java client never transmits the private key (you still must trust the client, source code is available; compare the hashes)
      3. No, Hushmail's TOS do not prevent them with complying with a legal court order. Their users also must not break the law, per the TOS.
      4. Hushmail followed Canadian law perfectly.
      So what can we learn from this? First, don't do illegal things (and use Hushmail or anything else). Second, while their non-Java client is convenient for avoiding the bulk of your traffic getting sucked up by programs like Carnivore [wikipedia.org], use the Java client and not even Hushmail can hand anything over (they never received the private key, even for an instant).
    • by Frosty Piss (770223) on Saturday November 17, 2007 @03:18PM (#21391477)

      2) Did hushmail lie? The obviously commited willful deception, but did they outright lie?
      Come on now. It's the same thing.
      • Re: (Score:2, Insightful)

        by GuldKalle (1065310)
        No, lying is what us normal people do. Willful deception is only for marketing executives, lawyers and politicians.
    • by jonbryce (703250)
      In the event of a conflict between their TOS and criminal law, they have to comply with criminal law, and not their TOS. To the extent that they have to do that, they aren't in breach of contract.
  • End of Hushmail? (Score:2, Insightful)

    by hairykrishna (740240)
    Surely this will do for them? How can they base their entire business around providing private email then just hand over CD's full of them whenever the authorities come knocking? Terrible.
    • by nurb432 (527695)
      How many of their users will even know this happened? Enough to put a dent in them? without a doubt. Enough to put them out of business? I donno.. lots of uninformed people out there.
  • by KevMar (471257) on Saturday November 17, 2007 @02:36PM (#21391203) Homepage Journal
    No mater how secure a company claims to be, you can't expect them to not fallow the law.
    • by julesh (229690)
      No mater how secure a company claims to be, you can't expect them to not fallow the law.

      The point is that according to hushmail's end-user documentation, *they can't do this*.

      Hushmail supposedly store everything, including your key, encrypted. The encrypted key is sent to an applet running on your computer, which decrypts it *locally* without sending a copy of your passphrase to the server. If you send e-mail to another hushmail user (as was the case in this instance) it is supposed to be encrypted with t
    • No mater how secure a company claims to be, you can't expect them to not fallow the law.

      Oh, but I *can* expect them not to render the law useless!
    • No mater how secure a company claims to be, you can't expect them to not fallow the law.

      I'll assume you meant "follow." This is true. However, we have absolutely no evidence that HushMail attempted to FIGHT this order. This should have made a big stink about it and tried to come up with ways to protect their users both technically and legally, but instead they just rolled over and tried to keep it quiet to avoid letting it hurt their bottom line.

      They lied to their customers by pretending to offer them a
  • by Albanach (527650) on Saturday November 17, 2007 @02:37PM (#21391213) Homepage
    This is only possible because users want the convenience of letting the Hushmail servers do the encryption on their behalf. To do this they have to hand over their encryption key, and once it's out of your control, so should be any expectation of privacy.

    I'm not sure what users expect. If a legitimate legal request that is clearly going to stand up to any legal challenge comes in and you give the company the ability to decrypt the messages you send, the company has no option but to comply.

    If Hushmail users want privacy they need to put up with the inconvenience of using an applet to sign their messages, and should be checking the hash of the Applet each time it is downloaded too so they can ensure it hasn't had a backdoor added. ideally the applet shouldn't send anything over the network, it should just encrypt the text and pass the pgp encrypted text content to the browser compose window. Then the user can check the data doesn't include anything they didn't put there themselves.
    • Have to agree with you on this.

      I don't understand why folks are so upset over this. You do NOT
      give out your private keys. Ever. For anything. I don't care
      how convenient the new version is, if you don't have control over
      your private keys, they're no longer private.

      In a related note:

      Last night I noticed that my encrypted emails were not making it
      to my Comcast account. ( Yeah, I hate em too but they're a monopoly
      in my area. You want high speed ? You have Comcast or you have dial
      up. )

      After checking sp
  • by acvh (120205) <<moc.sragicsm> <ta> <keeg>> on Saturday November 17, 2007 @02:41PM (#21391229) Homepage
    kind of defeats the purpose, I'd say.

    • by goodmanj (234846)
      In other news, a breakin and robbery was reported at 42 Elm Street after the owner gave his front door key to a gang member to hold for safekeeping. "He seemed like such a nice guy", said the owner.
  • They used to release the full source code to their Java applet that handled encryption/decryption, and provided instructions for building a byte-exact replica of what they distribute.

    Theoretically, hushmail can be used in a perfectly secure manner; download the source, check it for back-doors, compile the applet yourself and memorize its hash. Then whenever you use hushmail, just verify that the hash of the downloaded applet is the same as the one you compiled yourself.

    Probably hushmail was just feeding
  • by crypTeX (643412) on Saturday November 17, 2007 @02:47PM (#21391271)
    Is everyone forgetting that this is a relatively small company. How many people believe that if The Suits show up with something that looks official on paper that a company with people who want to look out for their own families and such will say "No, we're not giving you that." If the algorithm is secure, you have to keep your own key. I'm not willing to go to prison for your secret, let me know if you find someone who think truly is.
    • by julesh (229690)
      If the algorithm is secure, you have to keep your own key

      Of course, hushmail's original selling point was that you _do_ keep your own key, or at least your key's AES-encrypted while on their servers and not decrypted there. That's the story that most people here about the service, even now.

      However, at some point in the not-too-distant past, hushmail added a new service that didn't require a java applet to work, but that does require them to have your key. They're not forthcoming enough (IMO) about the dif
  • Lesson Learned: (Score:5, Insightful)

    by nurb432 (527695) on Saturday November 17, 2007 @02:49PM (#21391287) Homepage Journal
    Don't trust someone else to do what you should be doing yourself.
  • do not trust anything electronic for communications anymore...
    • what exactly do you propose for long distance communication?
      • by FudRucker (866063)
        i never said not to use anything for long distance communication, just don't trust the devices used for long distance communication...
        • So basically what you're saying is that you cannot send a message long distance with %100 assurance that it is secure. So either don't send sensitive information long distances, or live with the fact that they may be intercepted. Right?
      • by Vegeta99 (219501)
        ROT-13 smoke signals.
  • by headhot (137860) on Saturday November 17, 2007 @02:56PM (#21391327) Homepage
    Hushmail has 2 options, client side encryption which is done via a java plug in, and server side encryption.

    They only had the keys to give away for those people who chose server side encryptions. They don't have the private keys for those who cleint side.

    Also, when you choose you method, Hushmail tells you that server side is much less secure. They and anybody else operating in the US would have to turn over the private keys they heald with a court order.

    Whats the leason? Key your private keys private. Duh.
  • by tommyatomic (924744) on Saturday November 17, 2007 @02:58PM (#21391347)
    Here is a link to a wired article about the same issue. However wired actually bothered to contact the Hushmail and got a response from the CTO Brian Smith. Apparently it is not a clearcut as the OP and TFA suggests. http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html [wired.com]
  • I guess some of you actually use it, so maybe it does do some legit service, but from the description of the thing it sounds like a great "honey-pot" to me.

    1. Present yourself as a way to keep secrets from people.

    2. Sell/Give those secrets to the people directly.
  • Wrong wrong wrong (Score:5, Insightful)

    by starfishsystems (834319) on Saturday November 17, 2007 @03:00PM (#21391365) Homepage
    I've seen several comments already to the effect that we should know better than to trust PGP or other forms of asymmetric encryption.

    These comments are misguided.

    The crypto is fine. It's just been applied in an obviously flawed manner. Of course if some third party obtains your private key, your should assume that your communications are no longer secure. What part of that is hard to understand?

    There way asymmetric crypto is supposed to work, you generate the key pair yourself. Then you give out the public key. You never ever give out the private key.

    As an exercise, think about the following scenario. You go to a website which purports to offer some kind of secure service based on asymmetric crypto, using for example PGP keys or X.509 certificates. The site asks you to supply a bunch of identity information. It then generates a key pair for you.

    What part of this scenario should you trust? The answer: no part! It's not the function of another party to generate your key pair for you. You must do this yourself. You must closely guard the private key, store it securely, never give it out, and avoid transmitting it in cleartext. Got that? Then your problems are over.

    • by lawpoop (604919)

      The crypto is fine. It's just been applied in an obviously flawed manner.
      What about a technology that is theoretically sufficient to accomplished the job it was designed for, but the implementation of such is so counter-intuitive that any human user stands a good chance of thinking it's working when it's not?

      In other words, crypto works -- but the problem is getting human beings to do proper crypto.
    • by Jay L (74152)
      Of course if some third party obtains your private key, your should assume that your communications are no longer secure. What part of that is hard to understand?

      Duh! I agree - even my grandmother knows the difference between a private key generated on her PC by a Java applet running in a browser pointed to hushmail.com and a private key that's generated server-side and displayed in her browser pointed to hushmail.com.

      Oh, wait, no she doesn't.
  • by pavon (30274) on Saturday November 17, 2007 @03:01PM (#21391371)
    This only applies if you use their webmail service with server side encryption. They have to have your key in order to encrypt/decrypt server-side, and they have to turn it over to the authorities if they have a valid warrent. It's the law.

    If you use their client-side Java applet to do the encryption on your computer - as they strongly recommends that you do - then this is not an issue. Hushmail never see you keys and thus cannot be compelled to hand them over.

    Several other sites covered this story earlier in the month all without the crappy sensationalism of slashdot. I first saw it at arstechnica [arstechnica.com], which linked to an interview with the CEO by wired [wired.com].

    I'm not usually one to hard on individual slashdot editors, but this is the 4th intentionally misleading troll that zonk has posted today. It is crap like this that caused me to not renew my slashdot subscription so many years.
    • Re: (Score:3, Insightful)

      by julesh (229690)
      If you use their client-side Java applet to do the encryption on your computer - as they strongly recommends that you do - then this is not an issue.

      If they "strongly recommend" this, why is it off by default?
      • by alyandon (163926)
        Exactly. I just surfed to hushmail's login page via a browser I hadn't used before. It defaulted to the insecure non-java login even though Java is enabled in the browser and I received absolutely no warning at all about the feature being insecure.
  • Embarrassing?? (Score:2, Insightful)

    by samantha (68231) *
    No. They should be sued into oblivion for clear breech of contract for starters. This is one of the most disgustingly slimey things I have seen in a while. Those that take privacy seriously, which should be all of us, were lied to by a company that was supposed to help. And don't give me that tired "well I have nothing to hide" bullshit. When the government and other busies make it their business to prohibit and/or punish a great number of activities that really are no one's business it behooves us as
    • Re: (Score:3, Interesting)

      by samantha (68231) *
      OK, I am embarrassed. They really didn't have much choice except to go out of business given both a fully legal (though it shouldn't be) court order and the fact that the users in question were foolish enough to make their private keys available. I should have read more before firing off. Mea culpa.
      • Re: (Score:3, Insightful)

        by rk (6314)

        In fairness to you, both the headline and the summary not only completely failed to mention that they did this only after receiving a legitimate court order from their jurisdiction for the information they turned over, the tone of the title and summary implies that Hushmail just handed over information voluntarily in violation of agreements. The Article is poorly written, but the summary and headline are even worse. In general, I think a lot of people are a little too hard on Slashdot, but in this case, t

  • War on drugs (Score:4, Insightful)

    by apparently (756613) on Saturday November 17, 2007 @03:30PM (#21391573)
    How awesome is it that a company's reputation and income has to suffer (potentially unrecoverably) in order to comply with a court order, all in the name of The War on Drugs. Yay America: putting business out of business and restricting citizen's rights to their bodies, all at the same time!
  • This seems to me like an example of a much broader issue, which is the plethora of concerns, including privacy concerns, that surrounds the whole concept of using the browser as a platform for applications. People have been struggling with this forever, ever since Sun and MS first locked horns over Java applets. Over and over, we've seen security holes in IE caused by MS's poor handling of the javascript security model. Over and over, we've seen nonproprietary, multiplatform solutions (javascript, ajax) ba

  • by Deliveranc3 (629997) <deliverance AT level4 DOT org> on Saturday November 17, 2007 @03:52PM (#21391763) Journal
    That the NSA and CIA are widely believed to have the best hackers and cryptographers in North America.

    The most successful hackers have been social hackers... and will continue to be.
  • Would you trust a secure webmail company that uses Outlook? This certainly looks like a printout from Outlook to me. http://blog.wired.com/27bstroke6/files/hush_klp.pdf [wired.com]
  • by m2943 (1140797) on Saturday November 17, 2007 @05:19PM (#21392309)
    If you use a company that promises to hide your messages from the government, you can be sure that that's the first place the government looks!

Some people carve careers, others chisel them.

Working...