Silk Road forums

Discussion => Security => Topic started by: flipside on May 07, 2012, 08:29 pm

Title: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: flipside on May 07, 2012, 08:29 pm
Ok.

It "may" just be nothing. But i ALWAYS err on the side of caution. Especially involving hush. and the recent FM/Hush busts..ect....

But. "Just in case". PSA:

Within the last half hour I have received 2 separate hushmail's, from two separate friends/addresses.

BOTH were sent 100% "encrypted". No question. 100%.

Yet they were sent, and arrived, "unencrypted".

There is NO reason at all these two emails (each sent from 2 separate hush accounts, to 2 separate Tormail addresses) should have been sent or arrived "unencrypted".

EVERYTHING "adds-up" ok? I checked. To the "T". And verified with all those involved.

Luckily nothing sensitive was compromised, since with the few left i know still using hush, I "require" that we alwayz use c0d3z, ect in our communications.

I'm doing my best to get everyone off hush, but...you know how it can be.... :(

So just  a 'headz up'. Maybe nuthin. Maybe not?

Have any others noticed this? Or any other unusual recent activity re: hush?

I advised both of my friends to advise ALL of 'their' friends still using hush (in a
VERY safe way) to NOT use hush until further notice. I'd advise the same to the SR community here as well. Better safe than sorry. Period.

Although i DO have a tin-foil hat layin around somewhere which I do wear at times...it is extremely rare...and this is not one of those times, ok?

With the recent hush-related Farmers Market bust, ect, I dunno...But I woud NOT be surprised if "something" were up.

So "just in case" I felt the need to post this. Even if it turns out to be nothing. I so, my apologies. Just some "healthy" paranoia, ok?

Please share any related info you have as well.

Thank you.

TFC
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: antigrid on May 07, 2012, 08:53 pm
What are everyone elses thoughts? What could be going on with hush as a whole? I would think everything is a case by case basis. I have also read that if you're going to use them to use a @hush.ai address as everything else is run by Canadian law and that particular server goes by some random island law.
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: flipside on May 07, 2012, 09:25 pm
And ESPECIALLY concerned because this DIRECTLY involves both hush, Tor, AND an SR vendor....with all involved having enjoyed, long-time, ongoing "legally questionable" activities together...dig?

Although due to certain security precautions we have in place, we are "personally" truly NOT concerned.

However, others 'may' very well be concerned. Especially if you or somone you know EVER accessed Hush from a 'personal' IP.

So...just our opinion...but just watch ur back 'for a sec' my fam... K? ;)

Peace

TFC

Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: Anathem on May 08, 2012, 08:46 am
Hey flip - do I need to encrypt messages I send through the SR messaging system to you as well? Or just e-mails.
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: flipside on May 08, 2012, 02:44 pm
Anathem,

You should ALWAYS encrypt "any" sensitive info using GPG, anywhere, and to anyone, if it truly is sensitive.

Personally, (possibly due to certain security settings we have in place) we are completely unable to "view" ANY GPG encrypted messages sent to us via SR. We only see a "blank box" Either via PM or within an order.

Therefore, we can ONLY read or reply to GPG encrypted messages sent to us via email.

----------

And the more I think, the more I start to wonder if Hush itself was perhaps set up by the feds themselves for this very reason. They essentially are LE nyways, but it would be pretty sneaky plan, and would not surprise us one bitcoin.

But the answer is simple. DO NOT USE HUSH. EVER. PERIOD.

Perhaps we could file a class-action lawsuit and sue the living hell out of them until they are FORCED to go out of business. And forced to go (and stay) out of "our" business as well?

Just a thought.

Also curious about the 'hush.ai' comment and it possibly being run from a separate off-shore server. Interesting...hmmm....

Peace

TFC
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: CrankedToEleven on May 08, 2012, 03:34 pm
If you're using Hushmail, you might as well paint a giant greeting on your roof screaming "ILLEGAL NARCOTIC ENTHUSIASTS, WE WELCOME YOU". Hushmail, since about the end of 2007, been cozying up to LE -- they've released a shit ton of cleartext emails under court order. There's a giant security hole if you use their servers for encryption and decryption, i.e. do not first encrypt your emails using a standalone app before transmitting. Your data is available as cleartext during a small window, which also allows Hush to capture your passphrase. By using their facilities to secure your communications, you're forced to reveal the unencrypted messages and your passphrase to Hushmail. Very, very bad. This means Hush can (and probably) holds on to your key phrase in case LEO comes a-knockin. So, don't use Hush.
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: Anathem on May 08, 2012, 08:35 pm
Ok, thanks for the reply.
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: jewpacabra on May 08, 2012, 08:38 pm
im sure hushmail has GPG cracking built right in.... or the more obvious answer is that you are using their hosted encryption.
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: Limetless on May 08, 2012, 08:40 pm
Yeah, Hushmail has been bent for years. Loads of cases now where LE has said "Gimmie" and Hushmail has asked if they wanted condiments with their well done 16oz evidence.

Nobody and I mean not even your pets should use Hushmail in any capacity apart from maybe going onto their site and saying "No...I don't think so."

Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: Anathem on May 08, 2012, 09:32 pm
Hey there, noob question:  when I choose to 'encrypt' my message with another person's key, do I need to 'sign' it?  gpg tools gives me this options but I'm not sure it does anything.  It just prompts me for my password.  Do recipients require this?
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: Ordos on May 09, 2012, 01:48 am
Signing a message gives the recipient of the message a way of verifying that you sent the message.  To be honest I don't want anyone to prove without a doubt that I ordered an ounce of weed.  For buying and selling on SR I would forget about signing.
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: cacoethes on May 11, 2012, 03:47 am
I wouldn't trust Hushmail with an encrypted lolcat  It's  been suspect ever since The Hive went down in the late 90s/early 00s..
Title: Re: * URGENT *: "Possible" new Hush-related security concerns. SERIOUS! Please read!
Post by: Chaotika on May 11, 2012, 05:17 am
I wouldn't trust Hushmail with an encrypted lolcat  It's  been suspect ever since The Hive went down in the late 90s/early 00s..

Hush was never trustworthy. It's just highly convenient and disposable.