Mailing List Archive

If you insist on sending these, can you at least save them for the first calendar day in April or perhaps include a smiley or two? These claims rely solely on loosely-associated data (not "facts") and present little more than a basic unicorn argument; the basis for any "good" conspiracy theory.

Thx,
Jim

-----Original Message-----
From: Juha-Matti Laurio [mailto:juha-matti.laurio@netti.fi]
Sent: Friday, December 21, 2007 8:16 AM
To: bugtraq@securityfocus.com
Subject: Cryptome: NSA has real-time access to Hushmail servers

A frequent source 'A' sending updated NSA-Affiliated IP resources to Cryptome's Web site has reported the following new information:

"Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities."

Reportedly the following services are controlled:

Hushmail / Canada (http://www.hushmail.com/ ),
Guardster / USA (http://www.guardster.com/ ), and
SAFe-mail.net / Israel (http://www.safe-mail.net/ )

Link:
NSA Controls SSL Email Hosting Services:
http://cryptome.org/nsa-ssl-email.htm

SecuriTeam Blogs:
http://blogs.securiteam.com/?p=1052

Additionally, there is more information about NSA's role on Windows security software industry provided ('further details regarding which publishers and their means of facilitation' mentioned by Cryptome post on 1st Nov, link mentioned in Bugtraq post referenced below).

Cryptome: NSA has access to Windows Mobile smartphones
http://www.securityfocus.com/archive/1/483129

Juha-Matti

In addition, it is reported that breached SSL sessions have been traced
back to IP resources located in the North Pole and controlled by one
"Kr1S Kr1gL3" who has apparently privately purchased access rights to
all Hushmail data in an effort to determine which users have been
"naughty" and which have been "nice."

Coincidence? I don't think so.

t



> -----Original Message-----
> From: Juha-Matti Laurio [mailto:juha-matti.laurio@netti.fi]
> Sent: Friday, December 21, 2007 8:16 AM
> To: bugtraq@securityfocus.com
> Subject: Cryptome: NSA has real-time access to Hushmail servers
>
> A frequent source 'A' sending updated NSA-Affiliated IP resources to
> Cryptome's Web site has reported the following new information:
>
> "Certain privacy/full session SSL email hosting services have been
> purchased/changed operational control by NSA and affiliates within the
> past few months, through private intermediary entities."
>
> Reportedly the following services are controlled:
>
> Hushmail / Canada (http://www.hushmail.com/ ),
> Guardster / USA (http://www.guardster.com/ ), and
> SAFe-mail.net / Israel (http://www.safe-mail.net/ )
>
> Link:
> NSA Controls SSL Email Hosting Services:
> http://cryptome.org/nsa-ssl-email.htm
>
> SecuriTeam Blogs:
> http://blogs.securiteam.com/?p=1052
>
> Additionally, there is more information about NSA's role on Windows
> security software industry provided ('further details regarding which
> publishers and their means of facilitation' mentioned by Cryptome post
> on 1st Nov, link mentioned in Bugtraq post referenced below).
>
> Cryptome: NSA has access to Windows Mobile smartphones
> http://www.securityfocus.com/archive/1/483129
>
> Juha-Matti

Concerning the credibility of recent cryptome posts, I did some research on
the NSA IP address list they have been updating and found out some really
interesting stuff. Here's my post on what I found:

The NSA controls most of the Internet, or at least that's what they want you
to think
http://xato.net/bl/2007/12/22/nsa-controls-internet/


Mark Burnett



> -----Original Message-----
> From: Jim Harrison [mailto:Jim@isatools.org]
> Sent: Friday, December 21, 2007 11:41 AM
> To: Juha-Matti Laurio; bugtraq@securityfocus.com
> Subject: RE: Cryptome: NSA has real-time access to Hushmail servers
>
> If you insist on sending these, can you at least save them for the
> first calendar day in April or perhaps include a smiley or two? These
> claims rely solely on loosely-associated data (not "facts") and present
> little more than a basic unicorn argument; the basis for any "good"
> conspiracy theory.
>
> Thx,
> Jim
>
> -----Original Message-----
> From: Juha-Matti Laurio [mailto:juha-matti.laurio@netti.fi]
> Sent: Friday, December 21, 2007 8:16 AM
> To: bugtraq@securityfocus.com
> Subject: Cryptome: NSA has real-time access to Hushmail servers
>
> A frequent source 'A' sending updated NSA-Affiliated IP resources to
> Cryptome's Web site has reported the following new information:
>
> "Certain privacy/full session SSL email hosting services have been
> purchased/changed operational control by NSA and affiliates within the
> past few months, through private intermediary entities."
>
> Reportedly the following services are controlled:
>
> Hushmail / Canada (http://www.hushmail.com/ ),
> Guardster / USA (http://www.guardster.com/ ), and
> SAFe-mail.net / Israel (http://www.safe-mail.net/ )
>
> Link:
> NSA Controls SSL Email Hosting Services:
> http://cryptome.org/nsa-ssl-email.htm
>
> SecuriTeam Blogs:
> http://blogs.securiteam.com/?p=1052
>
> Additionally, there is more information about NSA's role on Windows
> security software industry provided ('further details regarding which
> publishers and their means of facilitation' mentioned by Cryptome post
> on 1st Nov, link mentioned in Bugtraq post referenced below).
>
> Cryptome: NSA has access to Windows Mobile smartphones
> http://www.securityfocus.com/archive/1/483129
>
> Juha-Matti

Guardster Team has posted its response on 21st Dec to Cryptome:

"We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.
…."

Link:
http://cryptome.org/nsa-ssl-email.htm

My SecuriTeam Blogs post has been updated to include this information too.

Juha-Matti

> > A frequent source 'A' sending updated NSA-Affiliated IP resources to
> > Cryptome's Web site has reported the following new information:
> >
> > "Certain privacy/full session SSL email hosting services have been
> > purchased/changed operational control by NSA and affiliates within the
> > past few months, through private intermediary entities."
> >
> > Reportedly the following services are controlled:
> >
> > Hushmail / Canada (http://www.hushmail.com/ ),
> > Guardster / USA (http://www.guardster.com/ ), and
> > SAFe-mail.net / Israel (http://www.safe-mail.net/ )
--clip--

On Sat, 22 Dec 2007 14:02:18 +0200, Juha-Matti Laurio said:
> Guardster Team has posted its response on 21st Dec to Cryptome:

> "We can assure you that we do not cooperate with the NSA or any other
> government agency anywhere in the world. We invite whomever is making this
> statement to provide proof, rather than making a baseless accusation.

Note that if they had been served with an NSL (National Security Letter),
they may be legally *required* to lie about it while cooperating. Actually
truthfully saying "Yeah, an NSL showed up and we complied" could land them
in jail....

Valdis.Kletnieks@vt.edu wrote:

> Note that if they had been served with an NSL (National Security Letter),
> they may be legally *required* to lie about it while cooperating. Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could land them
> in jail....

I don't think that they are required to actively lie about it.

There is a difference between:

Q: Have you been served with an NSL?
A: No.

and

Q: Have you been served with an NSL?
A: No comment.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Wasn't there an article or a post somewhere about an ISP that
maintained a canary web page with the statement "we haven't been
served with an NSL" and (I think) a date that was meant to be taken
down or perhaps merely not updated in such an event?

Cute idea, though I suppose they would also be subject to sanctions
for not maintaining it.

On Dec 26, 2007 1:33 PM, <Valdis.Kletnieks@vt.edu> wrote:
> On Sat, 22 Dec 2007 14:02:18 +0200, Juha-Matti Laurio said:
> > Guardster Team has posted its response on 21st Dec to Cryptome:
>
> > "We can assure you that we do not cooperate with the NSA or any other
> > government agency anywhere in the world. We invite whomever is making this
> > statement to provide proof, rather than making a baseless accusation.
>
> Note that if they had been served with an NSL (National Security Letter),
> they may be legally *required* to lie about it while cooperating. Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could land them
> in jail....
>

Valdis.Kletnieks@vt.edu wrote:
> Note that if they had been served with an NSL (National Security Letter),
> they may be legally *required* to lie about it while cooperating. Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could land them
> in jail....

Requred to lie, or just required to not disclose the cooperation?

Steve Shockley wrote:

>
> Requred to lie, or just required to not disclose the cooperation?
>

We cannot confirm nor deny this term "lie/(un)disclose" at present time.

http://libraryjuicepress.com/blog/?p=291

--
====================================================
J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

"Kurt Buff" <kurt.buff@gmail.com> top-posted:

> Wasn't there an article or a post somewhere about an ISP that
> maintained a canary web page with the statement "we haven't been
> served with an NSL" and (I think) a date that was meant to be taken
> down or perhaps merely not updated in such an event?

In the days of Carnivore, Alexis would often be asked "Has Carnivore
been installed on Panix's network?" He'd answer "no".

> Cute idea, though I suppose they would also be subject to sanctions
> for not maintaining it.

Taking down a page might be construed as communication; failing to
answer a question isn't (else it's compelled speech, and a compelled
lie at that.)

Seth

On Dec 27, 2007 10:11 AM, Steve Shockley <steve.shockley@shockley.net> wrote:
>
> Requred to lie, or just required to not disclose the cooperation?
>

And the difference would be?

--
Rob

One would be required not to disclose the fact that you were served a
letter or what records you were "asked" to disclose. Apparently, the
language of the letter is worded to make one think that cooperation is
legally required, though it looks like it is voluntary. And even
"required" is dubious... According to the ACLU, the "gag order" portion
of the NSL provision of the Patriot Act was found to be unconstitutional
on two occasions.

But no, you couldn't be legally required to "lie." Had Guardster
received such a letter, and they decided to comply, they would most
likely have not responded at all rather than make a public statement to
the contrary...

t

> -----Original Message-----
> From: Steve Shockley [mailto:steve.shockley@shockley.net]
> Sent: Thursday, December 27, 2007 10:11 AM
> To: bugtraq@securityfocus.com
> Subject: Re: Cryptome: NSA has real-time access to Hushmail servers
>
> Valdis.Kletnieks@vt.edu wrote:
> > Note that if they had been served with an NSL (National Security
> Letter),
> > they may be legally *required* to lie about it while cooperating.
> Actually
> > truthfully saying "Yeah, an NSL showed up and we complied" could
land
> them
> > in jail....
>
> Requred to lie, or just required to not disclose the cooperation?

You can not be made to lie. Legally, there are no Government privileges that obligates perjury.

You can be asked to keep quiet and in fact, discussing an ongoing case is risky in any event (NSA or local police).

Regards,
Dr Craig Wright (GSE-Compliance)



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright@bdo.com.au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@bdo.com.au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________________

From: Steve Shockley [steve.shockley@shockley.net]
Sent: Friday, 28 December 2007 5:11 AM
To: bugtraq@securityfocus.com
Subject: Re: Cryptome: NSA has real-time access to Hushmail servers

Valdis.Kletnieks@vt.edu wrote:
> Note that if they had been served with an NSL (National Security Letter),
> they may be legally *required* to lie about it while cooperating. Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could land them
> in jail....

Requred to lie, or just required to not disclose the cooperation?

http://www.rsync.net/resources/notices/canary.txt

Not an ISP, but if your data resides on their server(s), ...

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@gmail.com]
Sent: Thursday, December 27, 2007 12:26 PM
To: bugtraq@securityfocus.com
Subject: Re: Cryptome: NSA has real-time access to Hushmail servers


Wasn't there an article or a post somewhere about an ISP that
maintained a canary web page with the statement "we haven't been
served with an NSL" and (I think) a date that was meant to be taken
down or perhaps merely not updated in such an event?

Cute idea, though I suppose they would also be subject to sanctions
for not maintaining it.

On Dec 26, 2007 1:33 PM, <Valdis.Kletnieks@vt.edu> wrote:
> On Sat, 22 Dec 2007 14:02:18 +0200, Juha-Matti Laurio said:
> > Guardster Team has posted its response on 21st Dec to Cryptome:
>
> > "We can assure you that we do not cooperate with the NSA or any other
> > government agency anywhere in the world. We invite whomever is making this
> > statement to provide proof, rather than making a baseless accusation.
>
> Note that if they had been served with an NSL (National Security Letter),
> they may be legally *required* to lie about it while cooperating. Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could land them
> in jail....
>

On Dec 26, 2007, at 4:33 PM, Valdis.Kletnieks@vt.edu wrote:

> On Sat, 22 Dec 2007 14:02:18 +0200, Juha-Matti Laurio said:
>> Guardster Team has posted its response on 21st Dec to Cryptome:
>
>> "We can assure you that we do not cooperate with the NSA or any other
>> government agency anywhere in the world. We invite whomever is
>> making this
>> statement to provide proof, rather than making a baseless accusation.
>
> Note that if they had been served with an NSL (National Security
> Letter),
> they may be legally *required* to lie about it while cooperating.
> Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could
> land them
> in jail....

not exactly true, i think. the gag order on recipients of a NSL has
never required lying, just
saying nothing (which is bad enough, given the historical lack of
recipient access to judicial
review).

i would personally be more suspicious of the providers who had no
comment
than the ones who made unequivocal denials.

the gag feature is in court at the moment (with a ruling against the
govt's position
from as recently as september) according to

http://en.wikipedia.org/wiki/National_security_letter

Too Guardster Team & Juha-Matti

Heres the proof.

U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By U.S. law any telecommunications carrier (thats you HushMail) that does business in the U.S. shall ensure intercept of all wire and electronic communications. So we have two choices, HushMail is telling the truth and knowingly breaking U.S. law. Or Hushmail is lying to the public and is a legal business in the U.S. The simplest answer is the Hushmail is a legal business in the U.S.


http://www.askcalea.net/calea/103.html

Hushmail Team has posted its response on 29th Dec to Cryptome:

"Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency."

Response from Safe-mail.net Team is the following:

"1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party."

posted on 24th Dec to Cryptome's Web site.

Link:
http://cryptome.org/nsa-ssl-email.htm

My SecuriTeam Blogs post has been updated to include this information too.

Juha-Matti

Juha-Matti Laurio <juha-matti.laurio@netti.fi> wrote:
> > > A frequent source 'A' sending updated NSA-Affiliated IP resources to
> > > Cryptome's Web site has reported the following new information:
> > >
> > > "Certain privacy/full session SSL email hosting services have been
> > > purchased/changed operational control by NSA and affiliates within the
> > > past few months, through private intermediary entities."
> > >
> > > Reportedly the following services are controlled:
> > >
> > > Hushmail / Canada (http://www.hushmail.com/ ),
> > > Guardster / USA (http://www.guardster.com/ ), and
> > > SAFe-mail.net / Israel (http://www.safe-mail.net/ )
--clip--

It is important to note that CALEA only applies to telecommunications
services and explicitly exempts information services. Furthermore, there is
this exception:

(3) ENCRYPTION- A telecommunications carrier shall not be
responsible
for decrypting, or ensuring the government's ability to decrypt, any

communication encrypted by a subscriber or customer, unless the
encryption
was provided by the carrier and the carrier possesses the
information
necessary to decrypt the communication.

So surely, Hushmail, Guardster, and Safe-Mail would not legally be required
to provide this assistance to the U.S. government. And if they were to allow
users to control encryption they could also protect themselves that way.
While the NSA certainly may have the capabilities to spy (perhaps illegally)
on any network or service provider, the original accusation on cryptome
states that:

1. "Hushmail...now fully owned by private entity NSA affiliate..."
2. "Safe-mail.net...provides mail server info to NSA real time"
3. "NSA contractors have 'bought' full access rights to Guardster..."

However, the anonymous cryptome poster does not provide any evidence,
references, or any other basis for making that claim. Remember that this is
the same anonymous poster who, again without providing any evidence, claims
that the NSA owns 90% of the internet (but didn't include pentagon.mil, and
many .mil, .gov, DISA etc.), and who also claims that Windows is backdoored
using ephemeral TCP ports 1024-1030. Oh and major firewall vendors are in on
it too. There is not even an explanation of how he came up with these
conclusions, we just have to take the word of an anonymous author.

So while this all makes for a good conspiracy (of course they deny it, they
are required by law), we really have no basis to determine if this is in
fact true or not, so we have gained nothing but a lot of noise to clutter
*real* issues.

Spreading rumors such as these is damaging. An analogy: If I really wanted
to break into a particular business, I would first spend several weeks
purposely tripping the alarm. Anyone who has ever owned a faulty alarm
system will agree that after just 3 or 4 false alarms, the system loses
credibility to the point where you are much more likely to view any
subsequent alarms as false alarms. The alarm system is crying wolf.

A year ago we heard accusations that AT&T gave the NSA access to its
network. We all strongly believed it to be true. But if the Internet and
news media had previously been flooded with NSA collaboration conspiracy
theories that just about everyone was working with the NSA, would we have
had more doubts when the story originally broke? I think we would have. Will
we be more skeptical of the next accusation? Surely we will.


Mark Burnett


Refs:
http://cryptome.org/nsa-ip-update15.htm
http://xato.net/bl/2007/12/22/nsa-controls-internet/




> -----Original Message-----
> From: gb@gb.hates.the.constitution.gov
> [mailto:gb@gb.hates.the.constitution.gov]
> Sent: Friday, December 28, 2007 3:55 AM
> To: bugtraq@securityfocus.com
> Subject: Re: Re: Cryptome: NSA has real-time access to Hushmail servers
>
> Too Guardster Team & Juha-Matti
>
>
> Heres the proof.
>
>
> U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By U.S.
> law any telecommunications carrier (thats you HushMail) that does
> business in the U.S. shall ensure intercept of all wire and electronic
> communications. So we have two choices, HushMail is telling the truth
> and knowingly breaking U.S. law. Or Hushmail is lying to the public and
> is a legal business in the U.S. The simplest answer is the Hushmail is
> a legal business in the U.S.
> Windows Security
>
> > http://www.askcalea.net/calea/103.html

Man,

You should read a bit more. Comparing Calea to National Security Letters
is completely out to lunch. For one, Calea requires a court order,
enough evidence has to presented to a judge to convince him to write the
order, a NSL does not.

For another, "telecommunications carrier" refers to carriers, not
content providers. So only your access point is covered (I'm not sure if
internet Calea is even in place yet). But it certainly doesn't cover any
content providers, web and email for example. So HushMail wouldn't fall
under Calea.

And finally, HushMail can't even fall under a NSL because it isn't a US
company and doesn't operate in their country.

gb@gb.hates.the.constitution.gov wrote:
> Too Guardster Team & Juha-Matti
>
> Heres the proof.
>
> U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By U.S. law any telecommunications carrier (thats you HushMail) that does business in the U.S. shall ensure intercept of all wire and electronic communications. So we have two choices, HushMail is telling the truth and knowingly breaking U.S. law. Or Hushmail is lying to the public and is a legal business in the U.S. The simplest answer is the Hushmail is a legal business in the U.S.
>
>
> http://www.askcalea.net/calea/103.html
>

On 2007-12-28, at 0555, gb@gb.hates.the.constitution.gov wrote:
>
> Too Guardster Team & Juha-Matti
>
> Heres the proof.
>
> U.S. Calea law "Sec. 103. ASSISTANCE CAPABILITY REQUIREMENTS" By
> U.S. law any telecommunications carrier (thats you HushMail) that
> does business in the U.S. shall ensure intercept of all wire and
> electronic communications. So we have two choices, HushMail is
> telling the truth and knowingly breaking U.S. law. Or Hushmail is
> lying to the public and is a legal business in the U.S. The simplest
> answer is the Hushmail is a legal business in the U.S.
>
> http://www.askcalea.net/calea/103.html


get your facts straight. a "legal business in the U.S." is not the
same thing as a "telecommunications carrier".

you are correct about what section 103 says.

however, read in section 102 (47USC1001), where they define the term
"Telecommunications carrier".

subsection (8)(B)(ii) is kinda vague- apparently, if the FCC decides
that an email server is a "replacement for a substantial portion of
the local telephone exchange service and that it is in the public
interest to deem such a person or entity to be a telecommunications
carrier for the purposes of this tile", then anybody who runs an email
server would be required to make provisions for government wire-tapping.

so... did the FCC declare email servers to be part of the telephone
service, and nobody noticed?

subsection (8)(C)(i) explicitly says that "information services" are
NOT included. subsection (6) defines what the term "information
services" means... and (6)(B)(iii) sounds like an email server to me.

in addition, subsection (6)(A) seems to indicate that the term
"information services" would include encryption and decryption (they
are "transforming", after all), which means that they would also NOT
be covered under the CALEA law.

so my semi-educated but usually correct guess is that, unless they are
providing connectivity to clients, hushmail is not a
"telecommunications carrier" and therefore are not required to make
any provisions for government monitoring.

if they ARE providing connectivity, that's a totally different story.
the fact is that they have your secret key on their server. it may be
encrypted so they can't just plain read the key data, and they read
the passphrase for that encryption wrapper from a web browser whenever
they need to do something with the key. if they WERE considered to be
a "telecommunications carrier" and received an order to monitor a
user, they could easily change their scripting so that the first time
that the user USED their key, the script would decrypt the key itself,
and then make a copy of the un-encrypted secret key data, and then de-
crypt anything in the user's account.

personally, i wouldn't use hushmail anyway. i prefer PGP/GPG, where
the secret key never leaves the computer sitting in front of me. if
hushmail didn't have the secret key, then they wouldn't be able to
provide any de-crypted information, regardless of whether they can
convince a court that hushmail should be considerd a
"telecommunications carrier".

----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <jms1@jms1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------