Last week, I finally told HughesNet that I didn't need them anymore.
NO. MORE. SATELLITE. INTERNET.
I was only a month behind my goal of getting rid of HughesNet, but it came along with a move to a new city and state. And the most pleasant surprise is a really high speed internet connection for $36, along with a package of cable tv (I may go with DirecTV later since their programming is better and they have some channels I really like). I told the person when I signed up for high speed internet that I liked the internet music stations like SomaFm and Radio Paradise, and she said there was no problem. We'll see.
NO MORE $60/MTH FOR DIALUP OVER THE SATELLITE.
Beyond this, I really don't have anything to add to the blog. The links on the right side provide great places to get news on the (poor) state of the US internet. I'll leave it here (with sporadic updates) for people wondering about HughesNet and other satellite internet providers.
To those people, I would recommend, DON'T DO IT.
HughesNet, it's been a long and difficult relationship over the last year since you implemented FAP caps last year and started started penalizing people for using what they paid for. I won't miss the pain-in-the-ass headaches you caused me. In fact, I'll be glad to read in the future when you fail for the reasons mentioned in this blog and then file for bankruptcy. You won't be missed. Just another example of corporate greed killing another business.
Saturday, February 2, 2008
Sunday, December 30, 2007
Oregon gets props for this
Oregon Challenges RIAA's Tactics in Music Piracy Claim
The state attorney general is resisting the music labels' demand for consumer identities.
by Jaikumar Vijayan, Computerworld, Saturday, December 01, 2007
(links in the original article on the Computerworld site)
Oregon is fast becoming Ground Zero in the contentious battle between the Recording Industry Association of America (RIAA) and the tens of thousands of consumers it accuses of illegal music sharing.
The state Attorney General's office this week filed an appeal in U.S. District Court in Oregon calling for an immediate investigation of the evidence presented by the RIAA when it subpoenaed the identities of 17 students at the University of Oregon who allegedly infringed music copyrights. It is the second time in a month that Oregon Attorney General Hardy Myers has resisted attempts by the RIAA to force the university to turn over the names of individuals it says shared music illegally.
Officials at the RIAA could not immediately be reached for comment.
"It is a really huge step when the head law enforcement officer of a state wants to investigate the RIAA's evidence-gathering techniques," said Ray Beckerman, a New York-based lawyer who has been defending individuals in RIAA lawsuits.
Myers' move raises fundamental -- and overdue -- questions about the tactics used by the RIAA in its campaign against alleged music pirates, Beckerman said. "The RIAA has been bringing fake copyright infringement lawsuits, the sole purpose of which is to get the names and addresses of John Does," he said. They then drop the case and try to pressure these individuals into settling based on dubious evidence at best, he said.
In a 15-page brief filed Wednesday, Oregon's assistant attorney general, Katherine Von Ter Stegge, said that while it is appropriate for victims of copyright infringement to pursue statutory remedies, that pursuit had to "tempered by basic notions of privacy and due process.
"The record in this case suggests that the larger issue may not be whether students are sharing copyrighted music," the state's brief noted. Rather it is about whether the litigation strategies adopted by the RIAA are appropriate or capable of supporting their claims.
For example, the individual in whose name the subpoena was issued had no first-hand information about the alleged misconduct of the students or the subsequent investigations by the RIAA, the appeal filed by Myers' office noted.
The data mining techniques that the RIAA used also only show that certain copyrighted music files existed along with software that could be used to share these files. But it does not show how the music files were originally obtained or whether the files were actually illegally shared thereafter. As a result, all that was shown was a potential for misuse not actual misuse, the AG noted in court papers.
The brief also questioned whether the RIAA's investigators themselves might have illegally accessed and uploaded private confidential information not related to copyright infringement, that might have been stored on the computers of people being investigated. "Without reciprocal discovery, there is no process to assess precisely how invasive the plaintiffs' investigation was with regard to the John Does named in this suit," the brief said.
The state also questioned whether previous cases suggest that the RIAA may have abused the judicial process by obtaining the identities of suspected copyright infringers and then choosing not to purse litigation. Rather, it used collection firms to leverage payment of "arbitrary sums of money, based on threats and evidence from the data mining." There is no way for the university to find out whether this is true unless the RIAA can be asked about it specifically, the state argued.
Myers' latest salvo comes just a few weeks after an earlier motion was filed asking the court to quash the RIAA subpoena. In that motion, filed Oct. 31 on behalf of the University of Oregon, Myers said that the university was unable to identify 16 of the 17 alleged music pirates based on IP address information provided by the RIAA.
The RIAA has subpoenaed universities and Internet service providers for the identities of individuals it suspects of illegal file sharing. The modus operandi is to send the university -- or service provider -- a list of IP addresses on their networks that the RIAA is targeting. It then demands the identities of the individuals to whom the IP addresses were assigned.
In the Oregon university case, five of the 17 John Does in the RIAA subpoena accessed the copyrighted content in question from double occupancy dorms. That made it hard for the university to know who specifically might have accessed and shared copyrighted information, Myers claimed. The university also could not say whether the alleged copyright infringement had been done by the individuals that the IP addresses had been assigned to, or by others.
This week's brief was filed in response to an RIAA appeal opposing the state's earlier effort to quash the RIAA subpoena.
The state attorney general is resisting the music labels' demand for consumer identities.
by Jaikumar Vijayan, Computerworld, Saturday, December 01, 2007
(links in the original article on the Computerworld site)
Oregon is fast becoming Ground Zero in the contentious battle between the Recording Industry Association of America (RIAA) and the tens of thousands of consumers it accuses of illegal music sharing.
The state Attorney General's office this week filed an appeal in U.S. District Court in Oregon calling for an immediate investigation of the evidence presented by the RIAA when it subpoenaed the identities of 17 students at the University of Oregon who allegedly infringed music copyrights. It is the second time in a month that Oregon Attorney General Hardy Myers has resisted attempts by the RIAA to force the university to turn over the names of individuals it says shared music illegally.
Officials at the RIAA could not immediately be reached for comment.
"It is a really huge step when the head law enforcement officer of a state wants to investigate the RIAA's evidence-gathering techniques," said Ray Beckerman, a New York-based lawyer who has been defending individuals in RIAA lawsuits.
Myers' move raises fundamental -- and overdue -- questions about the tactics used by the RIAA in its campaign against alleged music pirates, Beckerman said. "The RIAA has been bringing fake copyright infringement lawsuits, the sole purpose of which is to get the names and addresses of John Does," he said. They then drop the case and try to pressure these individuals into settling based on dubious evidence at best, he said.
In a 15-page brief filed Wednesday, Oregon's assistant attorney general, Katherine Von Ter Stegge, said that while it is appropriate for victims of copyright infringement to pursue statutory remedies, that pursuit had to "tempered by basic notions of privacy and due process.
"The record in this case suggests that the larger issue may not be whether students are sharing copyrighted music," the state's brief noted. Rather it is about whether the litigation strategies adopted by the RIAA are appropriate or capable of supporting their claims.
For example, the individual in whose name the subpoena was issued had no first-hand information about the alleged misconduct of the students or the subsequent investigations by the RIAA, the appeal filed by Myers' office noted.
The data mining techniques that the RIAA used also only show that certain copyrighted music files existed along with software that could be used to share these files. But it does not show how the music files were originally obtained or whether the files were actually illegally shared thereafter. As a result, all that was shown was a potential for misuse not actual misuse, the AG noted in court papers.
The brief also questioned whether the RIAA's investigators themselves might have illegally accessed and uploaded private confidential information not related to copyright infringement, that might have been stored on the computers of people being investigated. "Without reciprocal discovery, there is no process to assess precisely how invasive the plaintiffs' investigation was with regard to the John Does named in this suit," the brief said.
The state also questioned whether previous cases suggest that the RIAA may have abused the judicial process by obtaining the identities of suspected copyright infringers and then choosing not to purse litigation. Rather, it used collection firms to leverage payment of "arbitrary sums of money, based on threats and evidence from the data mining." There is no way for the university to find out whether this is true unless the RIAA can be asked about it specifically, the state argued.
Myers' latest salvo comes just a few weeks after an earlier motion was filed asking the court to quash the RIAA subpoena. In that motion, filed Oct. 31 on behalf of the University of Oregon, Myers said that the university was unable to identify 16 of the 17 alleged music pirates based on IP address information provided by the RIAA.
The RIAA has subpoenaed universities and Internet service providers for the identities of individuals it suspects of illegal file sharing. The modus operandi is to send the university -- or service provider -- a list of IP addresses on their networks that the RIAA is targeting. It then demands the identities of the individuals to whom the IP addresses were assigned.
In the Oregon university case, five of the 17 John Does in the RIAA subpoena accessed the copyrighted content in question from double occupancy dorms. That made it hard for the university to know who specifically might have accessed and shared copyrighted information, Myers claimed. The university also could not say whether the alleged copyright infringement had been done by the individuals that the IP addresses had been assigned to, or by others.
This week's brief was filed in response to an RIAA appeal opposing the state's earlier effort to quash the RIAA subpoena.
The Top 10 Reasons to avoid Satellite Internet - Number 9
No Music streaming, downloading movies, VOIP, or other apps
It's hard to be a 21st-century internet user when the ISP-mindset is 19th-century. As with dialup, these applications won't work on satellite for one reason (FAP) or another (traffic shaping). By the time the ISP comes up with its business model to overcharge its customers through the nose, it's cheaper to do it the old way.
So much for progress and technology.
It's hard to be a 21st-century internet user when the ISP-mindset is 19th-century. As with dialup, these applications won't work on satellite for one reason (FAP) or another (traffic shaping). By the time the ISP comes up with its business model to overcharge its customers through the nose, it's cheaper to do it the old way.
So much for progress and technology.
The Top 10 Reasons to avoid Satellite Internet - Number 10
Weather
Wanna know what I was doing the week before Christmas after the six inches of snow and ice?
In 20-degree weather, I was putting the ladder up to go upon the roof of the house to clean the dish off. Always happens that way. Snow will settle on the dish and then there's no internet access.
Even when it's a sunny day with clear skies, the satellite can drop out of the blue.
And of course, there's always storms and rain and whatever weather-related where the internet connection will inexplicably drop.
Then of course when that happens, you can either wait or call India using the 800-support line.
Wanna know what I was doing the week before Christmas after the six inches of snow and ice?
In 20-degree weather, I was putting the ladder up to go upon the roof of the house to clean the dish off. Always happens that way. Snow will settle on the dish and then there's no internet access.
Even when it's a sunny day with clear skies, the satellite can drop out of the blue.
And of course, there's always storms and rain and whatever weather-related where the internet connection will inexplicably drop.
Then of course when that happens, you can either wait or call India using the 800-support line.
The Myth Of The Bandwidth Crunch Just Won't Die
Techdirt comes through again!
The Myth Of The Bandwidth Crunch Just Won't Die
rom the this-again? dept
A few months back we noticed a trend. Whenever we heard fear mongering reports about the internet running out of capacity, they almost always came from folks who weren't technologists. Instead, they tended to be telco business folks, lobbyists or politicians. When it came to actual technology people who had real experience and real data concerning what was happening on the network, we would see over and over and over and over again that the "threat" of a bandwidth crunch is pretty much a myth. We're not running out of bandwidth, and the ongoing upgrades to the network should be able to handle whatever growth comes along. There's no reason to panic... yet, that's not the message that the telcos want you to hear. After all, it's in their interest to work up fears of internet capacity problems so that politicians will pass legislation providing them with subsidies or other unnecessary benefits.
So, when Broadband Reports pointed us to an op-ed piece in the Boston Globe by a Harvard professor talking about the coming bandwidth crunch and the need to switch to metered pricing (another telco favorite, after they were too clueless to accurately predict that unmetered pricing would lead to more usage), it wasn't difficult to guess that she didn't have a technology background. Instead, it appears her background is entirely in public policy. There's certainly nothing wrong with folks looking at this issue from a public policy position (in fact, it's important). But, before they claim that the internet is running into trouble, shouldn't they look at what those who actually have the data have to say about the matter?
* * * * *
John Doe Comment: Nothing new here, and pretty much what we've said all along. The telco and ISP industry can't create new revenue streams with new forms of business offerings, so they go with the "FAP" (fair access policy) nonsense. So when you can't create, then implement bad and dishonest business models with invented scare strategies like "the internet's running out of bandwidth".
The Myth Of The Bandwidth Crunch Just Won't Die
rom the this-again? dept
A few months back we noticed a trend. Whenever we heard fear mongering reports about the internet running out of capacity, they almost always came from folks who weren't technologists. Instead, they tended to be telco business folks, lobbyists or politicians. When it came to actual technology people who had real experience and real data concerning what was happening on the network, we would see over and over and over and over again that the "threat" of a bandwidth crunch is pretty much a myth. We're not running out of bandwidth, and the ongoing upgrades to the network should be able to handle whatever growth comes along. There's no reason to panic... yet, that's not the message that the telcos want you to hear. After all, it's in their interest to work up fears of internet capacity problems so that politicians will pass legislation providing them with subsidies or other unnecessary benefits.
So, when Broadband Reports pointed us to an op-ed piece in the Boston Globe by a Harvard professor talking about the coming bandwidth crunch and the need to switch to metered pricing (another telco favorite, after they were too clueless to accurately predict that unmetered pricing would lead to more usage), it wasn't difficult to guess that she didn't have a technology background. Instead, it appears her background is entirely in public policy. There's certainly nothing wrong with folks looking at this issue from a public policy position (in fact, it's important). But, before they claim that the internet is running into trouble, shouldn't they look at what those who actually have the data have to say about the matter?
* * * * *
John Doe Comment: Nothing new here, and pretty much what we've said all along. The telco and ISP industry can't create new revenue streams with new forms of business offerings, so they go with the "FAP" (fair access policy) nonsense. So when you can't create, then implement bad and dishonest business models with invented scare strategies like "the internet's running out of bandwidth".
Monday, December 3, 2007
They did it again
A couple of weeks ago, HughesNet degraded their service yet again. Um, their already dialup-over-the-satellite slow connection has gotten even s-l-o-w-e-r.
How do I know this? Gmail used to take me straight into my inbox. Now, it tells me my internet connection is slow and tells me to use the basic HTML version.
HughesNet continues to make their bad business model worse.
Soon it won't be my concern.
Coming soon ----> The Top 10 Reasons to avoid Satellite Internet Snakeoil.
How do I know this? Gmail used to take me straight into my inbox. Now, it tells me my internet connection is slow and tells me to use the basic HTML version.
HughesNet continues to make their bad business model worse.
Soon it won't be my concern.
Coming soon ----> The Top 10 Reasons to avoid Satellite Internet Snakeoil.
Tuesday, November 13, 2007
Um, how's that "capitalism" stuff go again?
From the Techdirt files . . . . .
Service Providers Can't Be Honest With Themselves, So How Can They Be Honest With You?
from the self-realization-time dept
Last week I was wondering why the various mobile operators couldn't just be honest to customers in explaining the limitations of various service plans. A report had come out saying that people were sick and tired of service providers lying about service and features -- and it seemed to me that a company that was honest would get a lot of customers as a result of that honesty. Of course, this also came only a few days after we were wondering why Comcast couldn't come out and give an honest explanation for why it was jamming certain types of packets. Blogger Tom Lee from the Manifest Density blog, has responded to both things (though, incorrectly refers to Techdirt as being anti-telco, which we're not at all -- we're anti-telco-stupidity, which is quite different), making a very perceptive point. He basically says that it's impossible for any of these service providers to be honest with customers because doing so would require them to first admit the truth to themselves: they're just commodity dumb pipe providers, and all their efforts at pretending to be something more are pretty much meaningless. Until they can admit that (and Lee's assertion is they won't admit that), they can't be honest with customers. There's definitely a large chunk of truth in there, and it explains part of what the problem is -- but I still don't think that precludes service providers from being a lot more honest, even as they try to provide additional value-added services that might not matter. Being honest and transparent with customers is a good marketing idea for these companies, especially as they're being challenged to be anything more than a commodity dumb pipe provider. Being honest can actually be a part of their differentiated appeal to customers.
Service Providers Can't Be Honest With Themselves, So How Can They Be Honest With You?
from the self-realization-time dept
Last week I was wondering why the various mobile operators couldn't just be honest to customers in explaining the limitations of various service plans. A report had come out saying that people were sick and tired of service providers lying about service and features -- and it seemed to me that a company that was honest would get a lot of customers as a result of that honesty. Of course, this also came only a few days after we were wondering why Comcast couldn't come out and give an honest explanation for why it was jamming certain types of packets. Blogger Tom Lee from the Manifest Density blog, has responded to both things (though, incorrectly refers to Techdirt as being anti-telco, which we're not at all -- we're anti-telco-stupidity, which is quite different), making a very perceptive point. He basically says that it's impossible for any of these service providers to be honest with customers because doing so would require them to first admit the truth to themselves: they're just commodity dumb pipe providers, and all their efforts at pretending to be something more are pretty much meaningless. Until they can admit that (and Lee's assertion is they won't admit that), they can't be honest with customers. There's definitely a large chunk of truth in there, and it explains part of what the problem is -- but I still don't think that precludes service providers from being a lot more honest, even as they try to provide additional value-added services that might not matter. Being honest and transparent with customers is a good marketing idea for these companies, especially as they're being challenged to be anything more than a commodity dumb pipe provider. Being honest can actually be a part of their differentiated appeal to customers.
Hushmail is gonna be history
From the Techdirt files......
Hushmail Turns Out To Not Be Quite So Hush Hush
from the privacy-is-an-illusion dept
Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.
From Wired . . . .
Encrypted E-Mail Company Hushmail Spills to Feds
By Ryan Singel November 07, 2007 | 6:39:41 PMCategories: Crime, Hacks and Cracks
Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer."
But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.
A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.
The court revelation demonstrates a privacy risk in a relatively-new, simple webmail offering by Hushmail, which the company acknowledges is less secure than its signature product.
A subsequent and refreshingly frank e-mail interview with Hushmail's CTO seems to indicate that government agencies can also order their way into individual accounts on Hushmail's ultra-secure web-based e-mail service, which relies on a browser-based Java encryption engine.
Since its debut in 1999, Hushmail has dominated a unique market niche for highly-secure webmail with its innovative, client-side encryption engine.
Hushmail uses industry-standard cryptographic and encryption protocols (OpenPGP and AES 256) to scramble the contents of messages stored on their servers. They also host the public key needed for other people using encrypted email services to send secure messages to a Hushmail account.
The first time a Hushmail user logs on, his browser downloads a Java applet that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. So messages reach Hushmail's server already encrypted. The Java code also decrypts the message on the recipient's computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.
In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption.
However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.
The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.
In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects' secret passphrase or decryption key, decrypt their messages and hand them over.
Hushmail CTO Brian Smith declined to talk about any specific law enforcement requests, but described the general vulnerability to THREAT LEVEL in an e-mail interview (You can read the entire e-mail thread here):
The key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side.
This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.
This might clarify things a bit when you are considering what actions we might be required to take under a court order. Again, I stress that our requirement in complying with a court order is that we not take actions that would affect users other than those specifically named in the order.
Hushmail's marketing copy largely glosses over this vulnerability, reassuring users that the non-Java option is secure.
Turning on Java provides an additional layer of security, but is not necessary for secure communication using this system[...]
Java allows you to keep more of the sensitive operations on your local machine, adding an extra level of protection. However, as all communication with the webserver is encrypted, and sensitive data is always encrypted when stored on disk, the non-Java option also provides a very high level of security.
But can the feds force Hushmail to modify the Java applet sent to a particular user, which could then capture and sends the user's passphrase to Hushmail, then to the government?
Hushmail's own threat matrix includes this possibility, saying that if an attacker got into Hushmail's servers, they could compromise an account -- but that "evidence of the attack" (presumably the rogue Java applet) could be found on the user's computer.
Hushmail's Smith:
[T]he difference being that in Java mode, what the attacker does is potentially detectable by the user (via view source in the browser).
"View source" would not be enough to detect a bugged Java applet, but a user could to examine the applet's runtime code and the source code for the Java applet is publicly available for review. But that doesn't mean a user could easily verify that the applet served up by Hushmail was compiled from the public source code.
Smith concurs and hints that Hushmail's Java architecture doesn't technically prohibit the company from being able to turn over unscrambled emails to cops with court orders.
You are right about the fact that view source is not going to reveal anything about the compiled Java code. However, it does reveal the HTML in which the applet is embedded, and whether the applet is actually being used at all. Anyway, I meant that just as an example. The general point is that it is potentially detectable by the end-user, even though it is not practical to perform this operation every time. This means that in Java mode the level of trust the user must place in us is somewhat reduced, although not eliminated.
The extra security given by the Java applet is not particularly relevant, in the practical sense, if an individual account is targeted. (emphasis added) [...]
Hushmail won't protect law violators being chased by patient law enforcement officials, according to Smith.
[Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.
That's also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order.
Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order.
We receive many requests for information from law enforcement authorities, including subpoenas, but on being made aware of the requirements, a large percentage of them do not proceed.
To date, we have not challenged a court order in court, as we have made it clear that the court orders that we would accept must follow our guidelines of requiring only actions that can be limited to the specific user accounts named in the court order. That is to say, any sort of requirement for broad data collection would not be acceptable.
I was first tipped to this story via the Cryptography Mailing List, and Kevin, who had been talking with Hushmail about similar matters involving another case, followed up with Smith. We both agree Hushmail deserves credit for its frank and open replies (.pdf). Such candor is hard to come by these days, especially since most ISPs won't even tell you how long they hold onto your IP address or if they sell your web-surfing habits to the highest bidders.
Hushmail Turns Out To Not Be Quite So Hush Hush
from the privacy-is-an-illusion dept
Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.
From Wired . . . .
Encrypted E-Mail Company Hushmail Spills to Feds
By Ryan Singel November 07, 2007 | 6:39:41 PMCategories: Crime, Hacks and Cracks
Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer."
But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.
A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.
The court revelation demonstrates a privacy risk in a relatively-new, simple webmail offering by Hushmail, which the company acknowledges is less secure than its signature product.
A subsequent and refreshingly frank e-mail interview with Hushmail's CTO seems to indicate that government agencies can also order their way into individual accounts on Hushmail's ultra-secure web-based e-mail service, which relies on a browser-based Java encryption engine.
Since its debut in 1999, Hushmail has dominated a unique market niche for highly-secure webmail with its innovative, client-side encryption engine.
Hushmail uses industry-standard cryptographic and encryption protocols (OpenPGP and AES 256) to scramble the contents of messages stored on their servers. They also host the public key needed for other people using encrypted email services to send secure messages to a Hushmail account.
The first time a Hushmail user logs on, his browser downloads a Java applet that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. So messages reach Hushmail's server already encrypted. The Java code also decrypts the message on the recipient's computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.
In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption.
However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.
The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.
In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects' secret passphrase or decryption key, decrypt their messages and hand them over.
Hushmail CTO Brian Smith declined to talk about any specific law enforcement requests, but described the general vulnerability to THREAT LEVEL in an e-mail interview (You can read the entire e-mail thread here):
The key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side.
This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.
This might clarify things a bit when you are considering what actions we might be required to take under a court order. Again, I stress that our requirement in complying with a court order is that we not take actions that would affect users other than those specifically named in the order.
Hushmail's marketing copy largely glosses over this vulnerability, reassuring users that the non-Java option is secure.
Turning on Java provides an additional layer of security, but is not necessary for secure communication using this system[...]
Java allows you to keep more of the sensitive operations on your local machine, adding an extra level of protection. However, as all communication with the webserver is encrypted, and sensitive data is always encrypted when stored on disk, the non-Java option also provides a very high level of security.
But can the feds force Hushmail to modify the Java applet sent to a particular user, which could then capture and sends the user's passphrase to Hushmail, then to the government?
Hushmail's own threat matrix includes this possibility, saying that if an attacker got into Hushmail's servers, they could compromise an account -- but that "evidence of the attack" (presumably the rogue Java applet) could be found on the user's computer.
Hushmail's Smith:
[T]he difference being that in Java mode, what the attacker does is potentially detectable by the user (via view source in the browser).
"View source" would not be enough to detect a bugged Java applet, but a user could to examine the applet's runtime code and the source code for the Java applet is publicly available for review. But that doesn't mean a user could easily verify that the applet served up by Hushmail was compiled from the public source code.
Smith concurs and hints that Hushmail's Java architecture doesn't technically prohibit the company from being able to turn over unscrambled emails to cops with court orders.
You are right about the fact that view source is not going to reveal anything about the compiled Java code. However, it does reveal the HTML in which the applet is embedded, and whether the applet is actually being used at all. Anyway, I meant that just as an example. The general point is that it is potentially detectable by the end-user, even though it is not practical to perform this operation every time. This means that in Java mode the level of trust the user must place in us is somewhat reduced, although not eliminated.
The extra security given by the Java applet is not particularly relevant, in the practical sense, if an individual account is targeted. (emphasis added) [...]
Hushmail won't protect law violators being chased by patient law enforcement officials, according to Smith.
[Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.
That's also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order.
Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order.
We receive many requests for information from law enforcement authorities, including subpoenas, but on being made aware of the requirements, a large percentage of them do not proceed.
To date, we have not challenged a court order in court, as we have made it clear that the court orders that we would accept must follow our guidelines of requiring only actions that can be limited to the specific user accounts named in the court order. That is to say, any sort of requirement for broad data collection would not be acceptable.
I was first tipped to this story via the Cryptography Mailing List, and Kevin, who had been talking with Hushmail about similar matters involving another case, followed up with Smith. We both agree Hushmail deserves credit for its frank and open replies (.pdf). Such candor is hard to come by these days, especially since most ISPs won't even tell you how long they hold onto your IP address or if they sell your web-surfing habits to the highest bidders.
This week in fuckwit history . . . .
HughesNet degraded their service yet again. Now your internets are even s-l-o-w-e-r. Now the average is about 1-1/2 minutes to load a page when you click your mouse.
Fuckwit Nation marches on.
I wonder about HughesNet CEO. Is "clueless" a job prerequisite.
Fuckwit Nation marches on.
I wonder about HughesNet CEO. Is "clueless" a job prerequisite.
Wednesday, October 31, 2007
HughesNet & Sandvine (traffic shaping)
Sandvine lists DirecTV as a customer on the website. One can reasonably conclude that HughesNet also uses Sandvine to enforce its FAP ("Fair Access Policy" aka imposing traffic caps on the user).
Wiki has a writeup on Sandvine.
"....Controversy
Sandvine is reportedly used by Comcast to reduce the impact of BitTorrent and other P2P traffic, but does so by sending forged RST packets rather than traffic shaping. This interferes with other network protocols, and potentially violates network neutrality as well as fraud laws on the part of the ISP. Recently, Comcast customers have also reported an inability to use Google because forged RST packets are also interfering with HTTP access to google.com [2], which has further angered users.[3]..."
Wiki has a writeup on Sandvine.
"....Controversy
Sandvine is reportedly used by Comcast to reduce the impact of BitTorrent and other P2P traffic, but does so by sending forged RST packets rather than traffic shaping. This interferes with other network protocols, and potentially violates network neutrality as well as fraud laws on the part of the ISP. Recently, Comcast customers have also reported an inability to use Google because forged RST packets are also interfering with HTTP access to google.com [2], which has further angered users.[3]..."
Subscribe to:
Posts (Atom)