Tell HN: Riseup.net fails to update canary; fingerprints deleted without notice
After almost a week of direct questioning, canary is still not updated:
https://riseup.net/pl/about-us/canary
Certificate fingerprints deleted for certain domains on Oct. 22nd without notice:
https://github.com/riseupnet/riseup_help/commit/8a8c98e0aaa635130a899c1980569f34633d159d
Page where fingerprints no longer appear:
https://riseup.net/pl/security/network-security/certificates
135 comments
[ 3.5 ms ] story [ 224 ms ] threadAnd they've had indirect FBI attention before: https://riseup.net/en/about-us/press/fbi-seizes-anonymous-re...
The failure mode of their warrant canary is not that you stop getting email, but that other people start getting your email too.
While obviously this is not about preventing you from "getting email", you might not have received everything. You should consider the service compromised.
> we have no plans on pulling the plug https://riseup.net/en/about-us/policy/government-faq …
https://twitter.com/riseupnet/status/800815181190217729
This could just be drama.
"Dear friends, please remember that internet is not always the answer..."
"by the way, that wasn't a trump related tweet..."
"listen to the hummingbird, whose wings you cannot see, listen to the hummingbird, don't listen to me. #LeonardCohen"
It all "has nothing to do with" canaries.
I don't particularly think Riseup is in that position, but unless someone actively says "don't worry about our lack of a canary, we took it down for $REASONS and all is well", negative evidence is all you can react to.
Edit: the exact link to the official warrant canary is specified in the top post, please don't answer if you haven't recognized that much:
https://riseup.net/pl/about-us/canary
The "If they're relying on double entendres then it might as well be" as a response to "A Twitter feed is not a warrant canary" really has no sense.
https://en.wikipedia.org/wiki/Warrant_canary
Also worth reading:
https://www.schneier.com/blog/archives/2015/03/australia_out...
EDIT - if curious, https://www.reddit.com/r/WhereIsAssange/
http://imgur.com/9Gn8tRr
Basically I'm pretty much freaking out at the moment because it appears that Julian has been disappeared, and I'm doing whatever I can to try and spread awareness about this issue.
Previously, there were people on HN who were sympathetic to WikiLeaks and their cause, and this appears to be changing.
Truth often hurts when it's bad and is against people you support.
I hope Assange is doing well.
Without trying to turn this thread into a full "Where is Assange?" discussion, for me I just can't imagine why he has not sent communication since mid October, now long after the election, especially since the chorus is now strong enough that their Twitter has to say "everyone relax." He usually sees a lot of visitors, and they have access to millions of dollars, so he certainly has various ways to connect to the Internet just to say "I'm fine."
EDIT - I really did mean "didn't want to start full discussion", because there apparently is a whole lot more circumstantial evidence, including regarding some of the people you mentioned (like some members of his legal team being barred entry), but seriously, I'm going to leave the fullness of that discussion for Reddit, and think anyone who is interested in it should take it up there.
There are an abundance of pretty straightforward hypotheses consistent with the known facts(e.g. "Assange isn't feeling fine because he's still angry and/or paranoid about his preferred internet connection being taken away", "Assange feels this story is good publicity, relative to other kinds of publicity he's getting at the moment") but of course these aren't the ones being discussed on "Where is Assange?" subreddits.
However, the election has been over for some time. Even if they could, I doubt the Ecuadorian Embassy would forbid him from sending a basic message, picture, clip to verify he is OK, especially since pressure has been on them for a while now about his well being.
This means when the NSL arrives, it will be seen by the world.
Yahoo was able to publish the letters they received: https://s.yimg.com/ge/tyc/Redacted_Non-disclosure_Terminatio...
But in every company I've worked for mail is signed for by whoever and, if it's addressed to an executive, delivered to a secretary who reads it and decides what to do it.
Given the requirement for secrecy, there is zero chance that an NSL will be treated in this way. And it won't be served by a random process server. Most likely it will be served by an NSA employee, in a discreet situation of their choosing.
The next step in the fight against ongoing, overbearing surveillance is... ongoing, overbearing surveillance?
Ie: a friend.
> It was initially called “Structured English Query Language” (SEQUEL) and pronounced “sequel”, though it later had to have its name shortened to “Structured Query Language” (SQL) due to trademark issues.
See http://www.englishpage.com/articles/a-vs-an.htm (USE 6)
That's why you get "an X-Ray"
https://twitter.com/riseupnet/status/790245677234282496
I'm also curious about the security of things like RES.
Most people don't encrypt because they're not scared enough. It usually takes some time before their wordlview is repeatedly shattered enough that encryption is the only choice they have.
That's not true. A friend and I use GPG just to use GPG. You don't have to want to keep something private, just like you don't need to be doing illegal things to want curtains on your house.
"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged"
What I mean is that I can decide to not encrypt and have my emails under public scrutiny, but as I said, most people are not scared enough because it doesn't happen on their watch.
It doesn't matter what the content is, or how non-libelous - if it's encrypted with PGP, it's private.
* Encryption in transmission emails sent and received, using SSL/TLS
* Encryption in transmission of webmail sessions, using HTTPS
* Authentication security: Do they use 2 factor or other tech?
* Logging and retention of logs
* Reading your mail to build marketing profiles and social graphs
* Access by employees to your data
* Retaining and sharing your personal data with other businesses
* Security of your account information; can they easily be persuaded to surrender it
* Security of the email provider's systems
* Responsiveness to 3rd party requests for your information, whether private parties in lawsuits or legal authorities with/without warrants
* Cooperation with government surveillance dragnets
Security always is a matter of degree. Email will never be perfectly secure but there are some big differences between providers.
Sorry for sniping this specific one, but 2FA is (more often than not), security theater. It gives the illusion of security like how TSA baggage check is a big dance of scanning, pat-downs, and key ceremonies.
For context, consider Yahoo Mail, where emails are read by intelligence agencies before the user even gets them. Does my 2FA help here? Probably not.
I can understand that 2FA does have its uses, but frequently I'm seeing it being used like those 'Secured by Comodo SSL' with a picture of a shield to make a would-be shopper feel like the transaction is more secure. It can be theater.
To summarize, 2FA does not prevent email reading if the provider doesn't, however it does help prevent run of the mill takeovers, especially if you've reused a password somewhere.
Security is all about defense in depth, it's worth keeping in mind that 2FA is an important step there, but by no means the only one.
If you aren't encrypting+signing a message, you've already decided that security requirements of that particular message is minimal.
MFA is used to prevent a third-party who has access to your credentials from being able to login as you and, in the case of U2F, to prevent a successful phishing attempt from compromising your account.
MFA offers no, and never has been billed as, protection against a subverted server or an attacker who can decrypt or tamper with traffic on the wire.
Security is a large, complicated problem. There will never be a single measure which protects against every threat.
Securing against low-level hackers and intrusions increases security, even if it doesn't stop the NSA. It also doesn't stop the CIA from physically spying on you.
Securing yourself against low-level hackers and intrusions is not security theater. For most people, these are the most frequent and direct threats.
I would also argue that over-securing yourself is security theater. It's the same as overselling insurance products to people whose risk profile doesn't match the product. If you're not making security decisions based on the profile of risks you encounter, then you're engaging in theater to make yourself feel better.
This is a completely wrong statement. It helps prevents compromise from non-system-level attackers. Telling a user that 2FA is "security theater" is doing far more harm than good.
> Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.
This is what they claim on their homepage[1]. Tools built by people who believe in a certain philosophy for people working on "liberatory social change".
They try to operate and control their tools. They don't claim that they are "the-most-secure-email-provider".
They claim to work on what they call "Network Security"[2] (traffic encrypting and providing services outside of the tracking bubble), and define other fields of security ("Human Security", "Device Security", "Message Security"), that the user can improve himself by education. They provide means of education for this.
This is an alternative. Gmail is maybe more "secure", or maybe not, but don't claim these kind of social changes. Gmail is "free" and commercial. Riseup is not free and volunteer-run.
[1] https://riseup.net/
[2] https://riseup.net/en/security/#security-overview
edits: typos
"If you are doing certificate pinning with us, we are updating certs! so keep calm and check the new FPs here https://riseup.net/en/security/network-security/certificates …"
https://twitter.com/riseupnet/status/790245677234282496
Updated fingerprints (PGP signed Oct 22):
https://riseup.net/security/network-security/certificates/ri...
Edit:
See OP below restating that fingerprints for certain subdomains are what is missing. Should have read more closely ;)
Black, labs, and a few others have their own certificate that no longer can be verified with fingerprints, since Oct 22nd.
And if it is an ongoing investigation, shutting down immediately may be very difficult. Unless you can make a compelling case that you were already doing so for whatever reason, it is a very clear textbook case of obstruction of justice/interfering with an ongoing investigation.
https://twitter.com/riseupnet/status/800815181190217729
gpg: Signature made Tue Aug 16 01:01:19 2016 EDT using RSA key ID 139A768E
gpg: Good signature from "Riseup Networks <collective@riseup.net>" [unknown]
gpg: aka "Riseup Treasurer <treasurer@riseup.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4E07 9126 8F7C 67EA BE88 F1B0 3043 E2B7 139A 768E
(This is why I hate PGP.)
In the universe of possible media in which to conduct discussions with a group of peers, there may be none less safe than SMTP email mailing lists. Keep secrets off mailing lists. Never use mailing lists for secrets. Assume your mailing lists are public. Nobody is going to deploy a mailing list security solution that will ever be adequate against state-level adversaries. Any site claiming to keep political activists secure that offers mailing lists should be viewed with suspicion, because "don't use mailing lists" is close to the only thing that messaging security people agree about.
Not all politicians can/know how to operate anything more complex than an email account.
By the way, are you a fellow Tunisian? I'm kind of surprised because I've never run into a Tunisian on HN :p
Yes I'm Tunisian, I only know of a couple active people around here, but there is a ton of readers.
I see, that's great to hear. I don't live in Tunisia, so I'm not familiar with the Tunisian tech scene. Judging by your Twitter feed, it seems to be really active, which is awesome!
I just need to find the time to filter that data and publish something.
So what are the types of services one should use?
> The guerrilla must move amongst the people as a fish swims in the sea.
It's better to create false identities that are seemingly legit and fully fleshed out, for example: with back stories, and utilize regular services as a normal person would. The key is disconnecting your own identity from the false one. Rather than trusting your security to a 3rd party service that makes a name for themselves on helping people trying to hide their identity, thereby attracting scrutiny.
That being said there are ways to use encryption services in a way to protect your communication but the bar for doing so is very high and most people will either make mistakes or get lazy. Fortunately services like Whatsapp and to a lesser extant Signal are so popular that you could easily blend in using them, while still having high-quality data encryption. Although they both use phone phone numbers for authentication and the device itself is always a weak-link which is why the identity part is so critical.
thegrugq posted an article a long time ago about how CIA agents in Lebanon [1] got caught because they used burner phones in a way that was unlike the way anyone else used cell phones, if I remember correctly: they were turned off the device most of the time except to make a few calls to other phones that were similarly not used often - not in the way normal people make calls. So anyone in control of the mobile operators would be able to ID potential evasive behaviour an zero-in on those devices/people for extra scrutiny.
That type of behavioural analysis that applies to real life can even more easily give you away in the digital world. Which is why it's important to not stand out from the crowd by using services like Riseup when your entire goal is privacy.
[1] http://grugq.github.io/blog/2013/03/12/anonymity-is-hard/
At least in the global south, most of radical activists groups have strong "no-internet policies" for any type of secret, and no cellphones ones for their work. They have learned with their own history what they can or can't do, learned how to deal with IRL infiltration, and even learned how to communicate without any kind of contact or even agreements between groups. To survive and act against dictatorships or invading armies is not easy, they had to be smart.
But still, because travelling is expensive and networking today is a need for some of those groups or collectives, they can communicate with each other talking about their resolutions or activities, which are not secret (as I already said, it's assumed there can be a IRL infiltrate) but they are also not public.
You can see SMTP and mailing lists as a huge security risk, and they are, it's just not very common to see people that assume the opposite around here.
I see it as sticking posters in the street. There is no reasons to use Facebook or Google Groups for most of the Riseup (public) Lists users, not because they want something secret and hidden, but because they don't want to play with some companies rules and appreciate to be a part of a network run by volunteers more than to use profitable fake-free services.
Because it makes sense, not because it is more or less secure.
Confusing update IMHO. Could be read as reassurance. Could also be read as being threatened with incarceration and being forced to keep the site up. or a reminder to archive stuff immediately because of impending shutdown.
Not really sure what to make of it, other than they have obviously heard the concerns and /not/ updated the canary.
The canary hasn't been updated and the tweet implicitly acknowledges that they are aware of the concerns that people have about the overdue update. I can only think of two reasons to do this. 1. get some publicity or 2. for whatever reason they are unable to update the canary and are unable to say why. Personally, I doubt it's reason 1.
https://twitter.com/riseupnet/status/765414528951529472
----------------------------------Disregard, I forgot to check date.
----------------------------------
That tweet is from august