Hushmail was always known as a secure, private webmail company that markets itself by saying that “…not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.” So while the stored email is protected by the user’s passphrase, if this passphrase is authorized serverside by the user logging in via SSL the user is not using the more secure method with the Java Applet that they provide to have the passphrase encrypted (and I suspect hashed) before it’s sent over the wire. The advantage of the later approach is that the server never has the chance to see the ‘real’ password, but the user(s) gave up the ghost when they used the the SSL practice, which I suspect they never thought would lead to their downfall, especially when you look at how Hushmail markets themselves. So while not having to install that Java Applet is more convenient, it’s clearly less secure, “The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your pass phrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.” Continue reading →

While data-mining techniques used for marketing should be viewed with a skewed eye, the fact that AT&T has developed a C language variant called Hancock to mine gigabytes of telephone and Internet records should raise red flags automatically. “…the phone company uses Hancock-coded software to crunch through tens of millions of long distance phone records a night to draw up what AT&T calls “communities of interest” — i.e., calling circles that show who is talking to whom. The system was built in the late 1990s to develop marketing leads, and as a security tool to see if new customers called the same numbers as previously cut-off fraudsters — something the paper refers to as “guilt by association.” [...] recent revelations that the FBI has been requesting “communities of interest” records from phone companies under the USA PATRIOT Act without a warrant. Where the bureau got the idea that phone companies collect such data has, until now, been a mystery. According to a letter from Verizon to a congressional committee earlier this month, the FBI has been asking Verizon for “community of interest” records on some of its customers out to two generations — i.e., not just the people that communicated with an FBI target, but also those who talked to people who talked to an FBI target.” Yep, let’s spread that net far and wide…here’s hoping AT&T is held accountable in it’s current federal court trial on its secret internet spying rooms in its domestic internet switching facilities for the NSA.

During a hearing to review the Foreign Surveillance Intelligence Act, Congress was told by intelligence official Donald Kerr that, “…it is time people in the United States changed their definition of privacy. Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguards people’s private communications and financial information.” Right, because we all know what a great job businesses are doing keeping our data safe! It is unacceptable for an official to declare that our rights need to be usurped and then have us rely on businesses to keep our records safe; they’ve been failing to do that for years, why would there be any difference now? In fact, if Mr. Kerr’s plan went through, these companies would be bigger targets for exploitation as they’d hold a bigger payout for would be attackers. Come on, no more ‘give up your rights to survive’ rhetoric, we’ve had enough.  There’s more good coverage on this at Wired.

They just keep it up, now its come to light that AT&T has rolled out new Terms of Service for its DSL service that restricts users, while leaving the proof as a rather abstract concept.  Here’s the skinny, “…In section 5 of its legal ToS, AT&T stipulates the following:

AT&T may immediately terminate or suspend all or a portion of your Service, any Member ID, electronic mail address, IP address, Universal Resource Locator or domain name used by you, without notice, for conduct that AT&T believes (a) violates the Acceptable Use Policy; (b) constitutes a violation of any law, regulation or tariff (including, without limitation, copyright and intellectual property laws) or a violation of these TOS, or any applicable policies or guidelines, or (c) tends to damage the name or reputation of AT&T, or its parents, affiliates and subsidiaries.

Translation: “conduct” that AT&T “believes” “tends to damage” its name, or the name of its partners, can get you booted off the service. Note the use of “tends to damage”: the language of the contract does not require any proof of any actual damage.“  Nice, so much for free speech - if you’re an AT&T customer, which I’m not.  Heck, if I were you wouldn’t be reading this!

UPDATE: AT&T have responded “Officially, AT&T claims that the act of censorship was the result of a simple mistake made by the content monitor”

“The editing of the Pearl Jam performance on Sunday night was not intended, but rather a mistake by a webcast vendor and contrary to our policy. We have policies in place with respect to editing excessive profanity, but AT&T does not edit or censor performances. We have that policy in place because the blue room is not age-restricted. We regret the mistake and are trying to work with the band to post the song in its entirety.”

A bit of heavy-handed censorship of a Pearl Jam concert by AT&T this weekend led the band to fire off an open letter to fans—a letter in which Pearl Jam railed against media and ISP consolidation and called for readers to support network neutrality. During a recent show by Pearl Jam, they played, “…the melody from Pink Floyd’s “The Wall,” and Eddie Vedder served up a pair of anti-Bush lyrics to the tune. “George Bush, leave this world alone,” he sang. “George Bush, find yourself another home.” which AT&T censored on the webcast of the concert. PJ were obviously unhappy, and made a bid to support net neutrality, something that seems below most people’s radar. From their site:

This, of course, troubles us as artists but also as citizens concerned with the issue of censorship and the increasingly consolidated control of the media. Aspects of censorship, consolidation, and preferential treatment of the internet are now being debated under the umbrella of “NetNeutrality.” Check out The Future of Music or Save the Internet for more information on this issue.

“What happened to us this weekend was a wake-up call, and it’s about something much bigger than the censorship of a rock band.”

Remember, if only a few big companies own the Internet’s bandwidth, the same sort of censorship could take place on any Internet content. Net neutrality is the only fair option, demand it.

Left to chance came online as my personal blog in the Fall of 2001. As events that year dictated, it quickly turned political as I found my voice and opted to raise awareness and spark conversation about the many evolving issues of the day.  In 2007 LTC had become neglected for two reasons; the news highlighting my discontent was being covered by popular media outlets better than in the past, and two, the site has been ‘banned’ at my place of employment, so that I could not update it during the day.  I’m actually kind of proud of that last fact, but I have since left that job and now have the freedom to do as I please once again.

Then, after attending an Electronic Frontier Foundation (EFF) Q&A session and speaking with their lawyers and staff at Defcon 15 (August, 2007), I donated to EFF and became a member. I left the conference with a feeling of wanting to do something to compliment their work in not only promoting awareness of digital rights and online privacy, but in trying to effect change by organizing my thoughts and sparking conversation on the topics. Once this occurs it is my hope that Left to chance will serve as some sort of sentinel that helps direct people to protest current and proposed laws so they can fight for their digital rights and online privacy.

I hope you find the site useful as well as educational.  Thanks.

Phil