Hushmail was always known as a secure, private webmail company that markets itself by saying that “…not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.” So while the stored email is protected by the user’s passphrase, if this passphrase is authorized serverside by the user logging in via SSL the user is not using the more secure method with the Java Applet that they provide to have the passphrase encrypted (and I suspect hashed) before it’s sent over the wire. The advantage of the later approach is that the server never has the chance to see the ‘real’ password, but the user(s) gave up the ghost when they used the the SSL practice, which I suspect they never thought would lead to their downfall, especially when you look at how Hushmail markets themselves. So while not having to install that Java Applet is more convenient, it’s clearly less secure, “The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your pass phrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.” Continue reading →

Here’s a good Slashdot story: “A judge in Rochester, New York, has denied an RIAA application for default judgment on the ground that the RIAA’s evidence was insufficient, in that it contained no details of actual downloads or distributions, and no sufficient evidence that defendant was in fact Kazaa user ‘heavyjeffmc@KaZaA.’ The decision concluded that ‘there are significant issues of fact regarding the identification of the defendant from his alleged “online media distribution system” username.’ (In case you’re unfamiliar with the term ‘online media distribution system,’ that’s because it is a term the RIAA coined 4 years ago to describe p2p file sharing accounts in its lawsuits; the term is not known to have been used by anyone else anywhere else.)” So while an IP isn’t good enough to nail down a ‘downloader’ (or in this case someone who used Kazaa, for what we don’t know), here a judge decides that a user name (which anyone can make up) doesn’t truly represent a certain person.

They just keep it up, now its come to light that AT&T has rolled out new Terms of Service for its DSL service that restricts users, while leaving the proof as a rather abstract concept.  Here’s the skinny, “…In section 5 of its legal ToS, AT&T stipulates the following:

AT&T may immediately terminate or suspend all or a portion of your Service, any Member ID, electronic mail address, IP address, Universal Resource Locator or domain name used by you, without notice, for conduct that AT&T believes (a) violates the Acceptable Use Policy; (b) constitutes a violation of any law, regulation or tariff (including, without limitation, copyright and intellectual property laws) or a violation of these TOS, or any applicable policies or guidelines, or (c) tends to damage the name or reputation of AT&T, or its parents, affiliates and subsidiaries.

Translation: “conduct” that AT&T “believes” “tends to damage” its name, or the name of its partners, can get you booted off the service. Note the use of “tends to damage”: the language of the contract does not require any proof of any actual damage.“  Nice, so much for free speech - if you’re an AT&T customer, which I’m not.  Heck, if I were you wouldn’t be reading this!

While much has been said of last week’s ruling, US News has a summary of many different outlets on the upcoming fallout for the Democrats. “With Congress out of town, media outlets continue to analyze the performance of the Democratic majority. Some media sources suggest last weekend’s passage of a wiretapping bill, opposed by the party’s liberal base, may prove politically troublesome for Democrats.” It’s true, they will be held accountable for this.

Two years ago, when a wiretapping proposal similar to the FISA expansion, California Senator Dianne Feinstein said that the proposal, “calls into question the integrity and credibility of our nation’s commitment to the rule of law.” Then last week, just days after stating, “There is a suspicion that the administration wants to move too boldly. And once you sacrifice rights, it’s hard to get those rights protected again“, she went and voted for the FISA expansion (S. 1927)! She’s not alone, 15 other Senate Democrats also voted to give the government even more power to wiretap. What am I missing here Dianne?

After the Democrats voted to expand the National Security Agency’s (NSA’s) authority to spy on Americans without warrants, EFF has stepped up to show how to fight it. “Congress Caves on Warrantless Snooping — What Happened, and How To Fix It”

We also have to take the fight back to Congress, and for that we need your help. The most important check on the abuse of power ultimately isn’t Congress — it’s you. It’s up to you to hold your representatives accountable for allowing this egregious change or supporting it outright. Don’t let them think for a second that this went unnoticed: send them a letter here, call them to voice your opposition, and visit their home offices in your district during the August recess. Spread the word to your friends and family about what Congress has done and urge them to take action, too.

Fortunately, the law has a sunset date, and, more importantly, congressional leaders are already signaling that they want to revise the law before then. Restoring protections for your fundamental rights shouldn’t wait even a day. Neither should our efforts to make sure that happens — take action now.

It’s time to contact your representative and express your outrage, this must be rolled back.