Hushmail - a net woven by the fish themselves?

From "Grugnog" <grugnog@tao.ca>
Date Fri, 15 Oct 1999 18:36:28 +0100
Importance Normal


[: hacktivism :]

This is well worth a read for people (activists or cypherpunks) who have
heard 'good things' about Hushmail.
BTW, Andy <savage@easynet.co.uk> is a good bloke, so if anyone wants to add
to this investigation I am sure he would be pleased to work with you.
- Grug

-----Original Message-----
From: savage (by way of GEN lists <genetics@gn.apc.org>)
[mailto:savage@easynet.co.uk]
Sent: 15 October 1999 09:59
To: rts@gn.apc.org
Subject: -ALLSORTS-Hushmail - a net woven by the fish themselves?


Hi

If you value your freedom, only use hushmail for fun; don't say anything
you wouldn't say to a cop.

hushmail.com is claiming to provide strong encryption on email via a
web-based interface.  You can only send encrypted mail to other hushmail
account holders, so people will obviously encourage their mates to join.
A very clever net--woven by the fish themselves?

Show me your friends...

Anyway I checked who is hosting the service . It was registered by
radiant.net who, on their home page, claim that hushmail is just a
client of theirs. Maybe, but then who owns the company? Safemail enjoys
a big link on the homepage, while lesser bodies such as Maxim Chemicals
are relegated to a list on another page. The other clients of
radiant.net are very interesting. It is a 'British' Columbia internet
provider exclusively for the 'corporate community'. Bear in mind the
recent history of BC re environmentalists particularly.

>From their 'about us' page:

"The corporate client needs a higher level of service and attention to
detail that is just not available from providers dealing with tens of
thousands of residential users. This dedication to the corporate
community is exactly the emphasis at Radiant and why Vancouver's
businesses are migrating to
Radiant Communications."

Good buddies include:

B.C. Construction Association
New Westminster Police
Curlew Lake Resources Inc
D'N'A Military Import & Supply Inc
Georgia Pacific Securities Corporation
Hyatt Industries
Kerrisdale Lumber
Maxim Chemicals
Mineral Development Group
Pacific Metals Ltd.
Rubicon Minerals Corporation
Vancouver Condominium Services

and yes, the western canada wilderness comittee is in there too, but to
me that is no less corporate.

Well, call me paranoid if you like but it seems to me that it would be
very easy for a bunch of good buddy loggers and miners to get together
with the NW police and their extremely wealthy local internet experts
(not to mention the local redneck militia supplier) to provide this nice
easy
crypto-mail service and erm... help out all the activists they love so much.

Peer Review

A prerequisite for any encryption algorythm to be taken seriously is
that the source code be available for scrutiny by other cryptographic
experts. This is the only way ordinary folks can assure themselves that
the thing they use is actually secure. If many experts over a period of
years have been unable to mount aq sucessful attack on the encryption,
then there is a good chance that it is ok. There is too much to go into
here, but although hushmail's stuff is publicly available, I haven't
found much peer review (lots of advertising of course).

A good summary of some of the cons is at:

<http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail>
http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail

People I have corresponded with who are in the business of strong
encryption have confirmed my hunches. Anyone who knows anything about
security wouldn't touch this with someone else's computer, methinks. But
that's not who they are after, obviously. People need to be warned and
we need to find out more. It could well be bona fide, or at least
well-intentioned, but there is not enough information provided to know
that.  As this can possibly be a matter of being imprisoned for some
people, I think warnings should be prepared and circulated, unless
someone with more knowledge than me can show it is as secure as pgp.

Any help appreciated. If you think this will do as a warning then feel
free to forward it to people you care about.

Andy

PS: Nearly forgot;
<http://www.radiant.net/>http://www.radiant.net/


[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]