Hushmail - a net woven by the fish themselves?

[mea culpa <jericho () DIMENSIONAL COM>]

From: Grugnog <grugnog () tao ca>
From: savage (by way of GEN lists <genetics () gn apc org>)

Hi

If you value your freedom, only use hushmail for fun; don't say anything
you wouldn't say to a cop. 

hushmail.com is claiming to provide strong encryption on email via a
web-based interface.  You can only send encrypted mail to other hushmail
account holders, so people will obviously encourage their mates to join. 
A very clever net--woven by the fish themselves? 

Show me your friends... 

Anyway I checked who is hosting the service . It was registered by
radiant.net who, on their home page, claim that hushmail is just a client
of theirs. Maybe, but then who owns the company? Safemail enjoys a big
link on the homepage, while lesser bodies such as Maxim Chemicals are
relegated to a list on another page. The other clients of radiant.net are
very interesting. It is a 'British' Columbia internet provider exclusively
for the 'corporate community'. Bear in mind the recent history of BC re
environmentalists particularly. 

> > From their 'about us' page: 

"The corporate client needs a higher level of service and attention to
detail that is just not available from providers dealing with tens of
thousands of residential users. This dedication to the corporate community
is exactly the emphasis at Radiant and why Vancouver's businesses are
migrating to Radiant Communications." 

Good buddies include: 

B.C. Construction Association
New Westminster Police
Curlew Lake Resources Inc
D'N'A Military Import & Supply Inc
Georgia Pacific Securities Corporation
Hyatt Industries
Kerrisdale Lumber
Maxim Chemicals
Mineral Development Group
Pacific Metals Ltd.
Rubicon Minerals Corporation
Vancouver Condominium Services

and yes, the western canada wilderness comittee is in there too, but to me
that is no less corporate. 

Well, call me paranoid if you like but it seems to me that it would be
very easy for a bunch of good buddy loggers and miners to get together
with the NW police and their extremely wealthy local internet experts (not
to mention the local redneck militia supplier) to provide this nice easy
crypto-mail service and erm... help out all the activists they love so
much. 

Peer Review

A prerequisite for any encryption algorythm to be taken seriously is that
the source code be available for scrutiny by other cryptographic experts.
This is the only way ordinary folks can assure themselves that the thing
they use is actually secure. If many experts over a period of years have
been unable to mount aq sucessful attack on the encryption, then there is
a good chance that it is ok. There is too much to go into here, but
although hushmail's stuff is publicly available, I haven't found much peer
review (lots of advertising of course). 

A good summary of some of the cons is at: 

<http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail>
http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail

People I have corresponded with who are in the business of strong
encryption have confirmed my hunches. Anyone who knows anything about
security wouldn't touch this with someone else's computer, methinks. But
that's not who they are after, obviously. People need to be warned and we
need to find out more. It could well be bona fide, or at least
well-intentioned, but there is not enough information provided to know
that.  As this can possibly be a matter of being imprisoned for some
people, I think warnings should be prepared and circulated, unless someone
with more knowledge than me can show it is as secure as pgp. 

Any help appreciated. If you think this will do as a warning then feel
free to forward it to people you care about. 

Andy

PS: Nearly forgot;
<http://www.radiant.net/>http://www.radiant.net/

ISN is sponsored by Security-Focus.COM