(yes that's a 'crying' reference. I had a Genghis Cohen/ Mucho Mass thing going, but I couldn't pull it off. But yeah, more uncertainty than conspiracy)
posted by Smedleyman at 5:56 AM on November 21, 2007

I'm sure AT&T would say the same thing.
posted by DU at 6:04 AM on November 21, 2007

Anyone using Hushmail for nefarious purposes is stupid. No one needs to use Hushmail unless for nefarious purposes.
posted by stbalbach at 6:19 AM on November 21, 2007

The way I read this, they can only spy on you if you're using their web-based client. If you're using a desktop client you're still safe. (Apparently this difference in security between the two methods of access was documented by Hushmail, so nobody should be surprised.)
posted by sdodd at 6:25 AM on November 21, 2007

eklnggjkkrgak mwq fznitlpo, sqllo tnmo exdfslww golyvblewsz!
posted by quonsar at 6:27 AM on November 21, 2007

No one needs to use Hushmail unless for nefarious purposes.

Exactly, if you've done nothing wrong, you have nothing to worry about.
posted by Mr_Zero at 6:30 AM on November 21, 2007

What sdodd said.
posted by zeoslap at 6:35 AM on November 21, 2007

Corollary: If you are worried about it, you've done something wrong.
Conclusion: Guantanamo.
posted by DU at 6:36 AM on November 21, 2007

Oddly enough, the keylogger reveals that all of my passwords are ctrl-C+ctrl-V.
posted by localroger at 6:36 AM on November 21, 2007 [6 favorites]

I had always suspected that the US government had cracked most common asymmetric ciphers, but I was not completely convinced, because they had not gone through sufficient disinformation campaigns to suggest otherwise. Now they claim to need keyloggers to bypass PGP? Hah, yeah, right!

Spooks: you are so busted! I'm switching to morse handshakes. On dark alleys.
posted by Anything at 6:37 AM on November 21, 2007

Hushmail is still around? That's kind of cool. I remember when it first came out it seemed like a way better choice than Hotmail. Of course, it didn't work on the Mac, so my love of the site quickly died down.
posted by chunking express at 6:39 AM on November 21, 2007

Keylogger? I hardly know her!
posted by TechnoLustLuddite at 6:44 AM on November 21, 2007 [2 favorites]

It's also galling that they're using the keylogger on people who are doing something that would not be a crime in a free country.

I don't think MDMA is very good for you; but it's certainly not as bad for you as heavy use of alcohol or tobacco. Regardless, it's our government and who are they to prevent us from doing thing that might damage ourselves and no one else?
posted by lupus_yonderboy at 7:17 AM on November 21, 2007

Exactly, if you've done nothing wrong, you have nothing to worry about.

Until they decide to secretly change the definition of what wrong is.
posted by Hugh2d2 at 7:27 AM on November 21, 2007 [1 favorite]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I cannot see any reason why this would be a problem for anyone, ever.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHRFAyPOEWh13jFUcRApknAKDfYQTyATIhyRIdtOGVLvsL01dwPwCfRydf
r+6M6Hov8UeLGlTyZczRMo0=
=yPXa
-----END PGP SIGNATURE-----
posted by Skorgu at 7:35 AM on November 21, 2007 [2 favorites]

Anyone using Hushmail for nefarious purposes is stupid. No one needs to use Hushmail unless for nefarious purposes. Therefore, logically anyone using Hushmail is stupid.
posted by newdaddy at 7:42 AM on November 21, 2007

I'm curious as to the edge cases here. This initially looks just like planting a bug in a residence you have a warrant for. In the Scarfo case, I don't understand why there was a caveat for accessing the Internet, and why a keylogger would need to be disabled? Does it have to do with an expectation of privacy for any communicated with party?
posted by butterstick at 7:54 AM on November 21, 2007

Oddly enough, the keylogger reveals that all of my passwords are ctrl-C+ctrl-V.

Luckily for Feddies, Magic Lantern will supposedly grab the information off the Windows clipboard if you were to use the copy/paste short cuts.

Real solution - use Linux.

Now they claim to need keyloggers to bypass PGP? Hah, yeah, right!

PGP is a very strong encryption method. The keyspace of IDEA is 128-bits. In base 10 notation that is:

340,282,366,920,938,463,463,374,607,431,768,211,456.

To recover a particular key, one must, on average, search half the keyspace. That is 127 bits:

170,141,183,460,469,231,731,687,303715,884,105,728.

If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, it would still take all these machines longer than the universe as we know it has existed and then some, to find the key. This is how John Callas (CTO of PGP, Inc) puts it:

Imagine a computer that is the size of a grain of sand that can test keys against some encrypted data. Also imagine that it can test a key in the amount of time it takes light to cross it. Then consider a cluster of these computers, so many that if you covered the earth with them, they would cover the whole planet to the height of 1 meter. The cluster of computers would crack a 128-bit key on average in 1,000 years.

It's an open algorithm as well, so it's not like the NSA has some back door that we don't know about. It's as safe as you're going to get..
posted by SweetJesus at 7:56 AM on November 21, 2007 [3 favorites]

Imagine a computer that is the size of a grain of sand that can test keys against some encrypted data. Also imagine that it can test a key in the amount of time it takes light to cross it. Then consider a cluster of these computers, so many that if you covered the earth with them, they would cover the whole planet to the height of 1 meter. The cluster of computers would crack a 128-bit key on average in 1,000 years.

That is sweet.
posted by Mr_Zero at 7:58 AM on November 21, 2007

SweetJesus: unless the largest single employer of mathematicians in the world knows any neat tricks to factor large integers. You don't have to break IDEA if you can break RSA. (or what Anything said)

I'm somewhat impressed at how hard they try to avoid accidentally capturing any 'communications' along with the passphrase. Does this mean I can set up an encrypted feed of all my keystrokes (without giving anyone the key), and they'd theoretically be off-limits for the FBI?
posted by you at 8:07 AM on November 21, 2007

Also, unless I'm missing something, John Callas is using some non-standard definition of "year".
posted by you at 8:16 AM on November 21, 2007

mozdev.org

Man that dude is into everything, rapping, acting, open source public key crypto, what a renaissance man.
posted by Divine_Wino at 8:21 AM on November 21, 2007 [3 favorites]

The way I read this, they can only spy on you if you're using their web-based client.

Not quite... I mean, in this case yes, but the article also mentions the possibility of HushMail serving a modified java client to a particular user which would log the user's passphrase or whatnot. In theory HushMail users could go through java disassemblies or the downloaded applet every time to verify that they were the some, but then it's a question of why use hushmail at all.

The more fundamental problem is that they're placing a lot of trust in HushMail which apparently is unwarranted (vis stbalbac's initial comment).
posted by whir at 12:16 PM on November 21, 2007

SweetJesus said...

Luckily for Feddies, Magic Lantern will supposedly grab the information off the Windows clipboard if you were to use the copy/paste short cuts.

Do you have confirmation of this? It seems that it would be extremely difficult to sort out the various graphical methods which are also available for executing clipboard operations. I haven't seen anybody claim that they are logging other windows events and if they tried I think the amount of activity would make the logger's presence obvious.

Real solution - use Linux.

There are hardware keyloggers too. Linux doesn't help you there, but the clipboard does.
posted by localroger at 12:47 PM on November 21, 2007

This is why I organize all my illegal drug activities and plans for revolution through encrypted smoke signals and distributed semaphore towers.
posted by quin at 12:59 PM on November 21, 2007

Do you have confirmation of this? It seems that it would be extremely difficult to sort out the various graphical methods which are also available for executing clipboard operations. I haven't seen anybody claim that they are logging other windows events and if they tried I think the amount of activity would make the logger's presence obvious.

Wouldn't be difficult at all. All copy/paste information is stored in the Windows clipboard, so all you'd do is monitor for every time the clipboard's state changed. Many, many keyloggers do this. It's pretty basic, actually.

There are hardware keyloggers too. Linux doesn't help you there, but the clipboard does.

Yes, but you need physical access to the machine, in which case you're probably fucked anyway, cause they'll either be carting it out in an evidence box after they've arrested you, or they broke in with a "sneak and peak" warrant. The windows clipboard doesn't help you for shit if they've got your machine in their hands...

Magic Lantern is installed remotely and undetectably via known holes and exploits in Windows. It's been known about since 2001. McCafee and others won't pick it up by design. It's Windows only software, so if you're worried about it, don't use Windows. Pretty easy to defeat.
posted by SweetJesus at 2:25 PM on November 21, 2007

Thanks for the info, SJ. Not that I"m that worried about it myself the fact that the capability exists just pisses me off.
posted by localroger at 5:21 PM on November 21, 2007

Wouldn't be difficult at all. All copy/paste information is stored in the Windows clipboard, so all you'd do is monitor for every time the clipboard's state changed. Many, many keyloggers do this. It's pretty basic, actually.

Does it not depend on how much time you want to put into the copy-paste? If you're going to a known webpage where you grab the entire word/phrase you need, that's a giveaway.

But what if you copy two letters, paste, copy another two, paste over one of the previous letters, copy another two, paste between existing letters, etc, etc.. Could be a real mess. Obviously, not the way you want to have to enter passwords all the time, but if in doubt...
posted by dreamsign at 5:38 PM on November 21, 2007

This was on the FP of Slashdot a few days ago. The most damning thing that got mentioned in that discussion was that, allegedly, the "insecure" webmail mode is the default. If you use the Java-based webmail system, everything is still secure...but using the Java mode requires going into some "Advanced" preferences and switching it on. (And if you've used the insecure non-Java system even once, you need to consider your account permanently compromised.)

It's one thing to offer an insecure mode for people who really want it, but to make that the default is pretty heinous. If that's true -- and I want to emphasize the "if" -- I don't think anything else they do or claim with regards to security can be taken seriously.
posted by Kadin2048 at 10:00 PM on November 21, 2007

I think email has to die before it can evolve - because only when we figure out some entirely better way of communicating will we bother to change how every email server on the planet works.
posted by sim.possible at 8:13 AM on November 22, 2007

It's true; I mean, I remember when people stopped using regular mail and we ended up with email.
posted by chunking express at 8:24 AM on November 22, 2007