hushmail
From
"Robert Kemp" <sensuant@hotmail.com>
Date
Thu, 14 Oct 1999 15:51:38 EDT
[: hacktivism :]
----- Original Message -----
From: by way of GEN lists <genetics@gn.apc.org> <dodgygeezer@hushmail.com>
To: <rts@gn.apc.org>
Sent: Wednesday, October 13, 1999 12:34 AM
Subject: -ALLSORTS-SIMPLE e-mail encryption for everyone
> [this comes highly recommended and they say even a technophobe like me
could
> get to grips with it - happy encryption - ALLSORTS]
>
> At last, SIMPLE e-mail encryption for everyone.
> ====================================
> Many activists must have become totally paranoid after hearing recently
about
> the Echelon global e-mail spying project, hotmail accounts being hacked
into
> etc. The Interception of Communications Act allows surveillance to be
carried
> out on anyone who is part of "a large number of persons in pursuit of a
common
> purpose". The forthcoming Electronic Communications Bill contains
staggering
> proposals that can, for instance impose a 5-year prison sentence on you
just
> for warning someone else that they're under surveillance. Understandably
you
> want to use e-mail without fear of being spied on by the forces of
darkness.
> Well for once there's some good news because powerful help is at hand
> thanks to
> a timely new e-mail service called hushmail.
>
> I should explain at this point that the term strong encryption means that
a
> scrambled message can't be unscrambled within a time scale in which the
> information is still of any use to anyone e.g. whilst you or the present
world
> order are still in existence. For a worthwhile encryption system, this
usually
> means that using the most powerful computers of the day unscrambling a
message
> should take thousands or even millions of years.
>
> Whilst strong e-mail encryption has been around in the form of PGP
(Pretty
> Good
> Privacy) for a number of years, the fact is that even in it's new Windows
> version, PGP remains fairly tricky for non-technical computer users to
set
> up &
> use. Not only that but PGP also has to be in turn - installed &
configured
> successfully by everyone else who you want to communicate with on their
> computers before it is of any use at all. This difficulty of use has been
a
> massive impediment to the take up of strong encryption in activist
circles.
>
> Hushmail is a new web based e-mail service that is by contrast stunningly
> simple to set up & use. It's like hotmail, yahoo, mailcity or any of the
other
> free web e-mail services but hushmail uses strong encryption.
>
> To use this completely free service, simply surf over to
> <http://www.hushmail.com/>www.hushmail.com & follow the very clear &
> straightforward instructions for setting up a new account. There are also
> answers to many Frequently Asked Questions & info on how it all works for
> those
> that are interested. Basically the only essential requirements are that
you
> have a fairly recent internet browser program that understands what's
called
> Java script such as Micro$ofts Internet Explorer version 4 or 5 (both of
which
> are supplied by nearly all the free ISPs) & an existing dial up
connection.
>
> Being web based, hushmail is not quite as convenient for regular heavy
e-mail
> use as a conventional e-mail system that allows off line reading &
composing
> etc. Also, although hushmail can be used for sending & receiving mail
to/from
> conventional e-mail accounts, in order to exchange SECURE messages using
> hushmail, both the sender & recipient must have existing hushmail
accounts set
> up. Neither of these requirements are that much of a handicap as
hopefully
> loads of activists will have the foresight to set up accounts in advance
&
> distribute the details to friends for use whenever the need might arise.
In
> fact if you've an existing hotmail account or the like, I'd recommend you
drop
> it & convert to hushmail instead.
>
> There are some other tremendous bonuses of this system especially the
fact
> that
> you can use a cyber cafe or a college or friends computer anywhere in the
> world
> to send & receive hushmail. No need for any special software to be
> installed on
> that computer or you having to carry your private key files around on
floppy
> like PGP would require. All you need is to be able to type your pass
phrase &
> to know someone else at the receiving end with a hushmail account. If
you're
> away from home & need to send some sensitive information to someone with
no
> risk of it being eavesdropped then this could be a lifesaver.
>
> Since you're allowed a mailbox size of 3MB (that's 3 good sized novels)
you
> can
> also use it to store any text you don't want others any chance of reading
on
> your computer simply by sending hushmail to yourself & leaving it on the
> hushmail server.
>
> OK so by now the sceptics will be asking what's to stop the forces of
darkness
> kicking the door of the computer room down where the hushmail server is
based
> (in Canada) & accessing all the dodgy stored messages directly that way.
In
> fact that wouldn't work at all & a brief description of why not follows:
>
> When you log onto hushmail the hushmail server downloads to your computer
a
> small program called a Java applet which performs all the strong
encryption on
> your local computer. This happens transparently & you'd hardly be aware
of it
> except for a delay of a few seconds. Everything stored on & passing to &
from
> the server & your computer is strongly encrypted first by the Java applet
> including your pass phrase. Line taps & jackboots would be of no use in
> gaining
> access to your private information.
>
> The creators of hushmail have very sensibly published the human readable
> source
> code of the encryption program used so that encryption experts world-wide
can
> scrutinise it for potential weaknesses. This is in marked contrast to
most
> commercial encryption programs which, because they're copyrighted up to
the
> eyeballs can & do have all sorts of back doors & secret master keys
hidden
> away
> in them for use by the likes of dodgy outfits like the NSA, CIA, GCHQ,
MI5/6
> etc.
>
> I'd urge everyone who's even slightly concerned about civil rights &
> privacy to
> set up a hushmail account today, tell everyone you know about it &
regularly
> use it even just for writing to your mum. Doing so should seriously piss
off
> the likes of Jack Straw & his forces of darkness.
>
> ------------------------------------------------
>
> For the hopelessly paranoid, the full list of potential weaknesses of
hushmail
> follow but please note that many of these are typical of any encryption
> system.
>
> Choosing a piss poor pass phrase or writing it down in your diary & then
> getting arrested. When choosing a pass phrase, DON'T use a slogan, sound
bite
> or quotation, the name of your lover/dog/mother/favourite
band/song/football
> team or anything else predictable. Choose about six words that are easy
for
> you
> to remember without writing them down, but impossible for others to
guess. All
> characters, spaces, punctuation & case are significant. If you forget
this
> phrase NO ONE IN THE WORLD will be able to read or recover your mail for
you.
>
> If you prepare text offline you need to be aware that every word
processor
> program creates temporary files containing your sensitive information &
these
> can be easily recovered from your disk after they've been deleted. There
are
> programs downloadable for free that can wipe out all trace of files but
it's
> beyond the scope of this article to go into detail here. E-mail me for
more
> info on dealing with all possible security pitfalls.
>
> Any untrusted person with access to your computer could secretly install
a
> virus like program such as DIRT (Data Interception & Remote Transmission)
or
> Back Orifice. Such programs can also be installed simply by e-mailing
them to
> you & relying on you to open the attachments unchecked. Once installed,
they
> can save the last few thousand key strokes & then secretly upload them to
a
> server operated by the forces of darkness every time you connect to the
net.
> Learn about how viruses spread (e-mail me for an easily understood info
file).
> Don't open e-mailed file attachments from ANYONE & install & use an UP TO
DATE
> virus scanner such as <http://www.avp.ch/>www.avp.ch
>
> Be very careful about who you use to repair your computer if it ever
breaks
> down. It's an excellent opportunity for the forces of darkness to rake
through
> your computer's contents and/or fit bugging hardware/software.
>
> Video bugging devices looking onto the screen/keyboard. These are now so
small
> that they can be hidden inside a light switch or can see through a
pinhole
> drilled through the party wall of an adjacent property.
>
> Tempest technology.
> This is very hi-tech & involves using a vanload of equipment parked
outside a
> building that can, reproduce the image of a computer screen some distance
away
> just from the radio interference emitted from it. Watch out for dodgy
looking
> vans outside your home, or use your computer inside a screened aperture
free
> Wendy house that you've made from flattened out tin cans stapled
together!
> Laptops are less susceptible to this form of attack.
>
> Hushmail is susceptible to the forces of darkness somehow intercepting
the
> downloading of the Java encryption applet & substituting their own hacked
> version. This wouldn't be particularly easy to do & hopefully alert
cipher
> experts around the world would spot that the Java applet had changed.
>
> The author of this article is an environmental & cyber rights activist.
If I
> sound very enthusiastic about this new hushmail service, it's because I
see it
> as a huge step towards allowing people to easily communicate in absolute
> secrecy. I stress that I have no links with hushmail apart from having a
free
> account with them. dodgygeezer@hushmail.com
>
>
> Get HushMail. The world's first free, fully encrypted, web-based email
system.
> Speak freely with HushMail....
> <http://www.hushmail.com/>http://www.hushmail.com
>
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]