Tor at the Heart: Riseup.net

by dgoulet | December 12, 2016

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!



Riseup.net

Riseup.net was started back in 1999 after the WTO protests in Seattle. They provide online communication tools, including email, chat, file uploads and collaborative platforms for people and groups working on liberatory social change. Riseup is a project to create democratic alternatives and to practice self-determination through the control of secure means of communication.

The Riseup collective is made up of many "birds" who believe it is vital that essential communication infrastructure be controlled by movement organizations and not by corporations or governments.

They strive to keep mail as secure and private as possible. They do not log your IP address. (Most services keep detailed records of every machine that connects to their servers. Riseup only keeps information that cannot be used to uniquely identify your machine). All of your data, including your mail, is stored by riseup.net in encrypted form. They work hard to keep their servers secure and well defended against any malicious attack. They do not share any of their user data with anyone. They actively fight all attempts to subpoena or otherwise acquire any user information or logs. They do not read, search, or process any of your incoming or outgoing mail, other than by automatic means to protect you from viruses and spam or when directed to do so by you when troubleshooting.

Some of the Riseup birds work tirelessly on building secure email infrastructure, one of them runs longclaw, one of our amazing directory authorities, and all of them are dedicated to building a better Internet—and thus, incidentally, a better world. Oh, and they also run two fast Tor exit nodes, wagtail and pipit.

In addition, for years Riseup has been providing Onion Services for each of their services. Start using them today here!

We also can't thank them enough for writing this Onion Service Best Practices Guide, helping countless users and services around the Internet to be more secure, and truly making everyone not part of a DarkWeb but rather a SecureWeb (tm).

We hope we can continue this close relationship with Riseup. So many Tor users around the world depend on them for protection. Please visit our bird friends at Riseup and support their critical work!

And don't forget to donate to the Tor Project and get involved!

Thank you for reading, and soon enjoy not being in 2016 anymore! :)

Comments

Please note that the comment area below has been archived.

December 13, 2016

Permalink

> So many Tor users around the world depend on them for protection
their vpn propose usa servers , it is a short choice for an anonymity tool_[users around the world _center ?_].

December 13, 2016

Permalink

Thanks so much for highlighting the critical role played by Riseup in promoting democracy around the world!

As a Riseup user myself, I know how vital this resource is for activists and political dissidents everywhere--- and how strained are their coffers, so I hope Tor users who use this blog will request an account and donate to help pay for the Riseup servers.

Maybe I missed something, but did you fail to mention the fact that Tails Project extensively uses Riseup Labs for bug tracking and development collaborations?

The Tails version of Tor Browser includes a bookmark to the Riseup webmail server, which possibly should point to the onion rather than the https link. One important point about Riseup webmail: if both sender and recipient have accounts at riseup.net and do not forward emails to accounts elsewhere, it is believed that emails between them should never leave the Riseup servers at all, which could make it much harder for attackers to snoop on metadata (e.g. for traffic analysis, social networking analysis) without risking breaking into the network. This could be an enormous advantage for reporters communicating with sources, especially in cases when other communication modes are not available.

Further, since the Riseup sysadmins try to run a secure ship, even sophisticated state sponsored attackers may acknowledge that any attempts to break into the Riseup network may be noticed, or even worse for them, their malware may be captured, reverse engineered, and published with attribution! This stands in contrast to commercial providers, where security is a low priority (even worse, some commercial webmail providers claim but do not attempt to provide high security).

I hope a Riseup representative can comment on concerns among Riseup users about the fact that the warrant canary

https://www.riseup.net/en/canary

has not been recently updated. This should be updated "approximately" every 3 months but not updated since Aug 2016. To be sure, such concerns have been expressed before, and on those occasions the canary was eventually updated, with no explanation for the delay.

However, a few months ago, the Riseup blog tweeted a reassurance which was oddly worded "no *activists* are at risk", leading to concern that Riseup has possibly been hit with an NSL or some other USG procedure accompanied by a gag order, or perhaps even that Riseup sysadmins are "operating under duress". Some replies to user emails have also been strangely worded. My latest information (some weeks old) seemed to suggest that Riseup was seeking legal advice about something, and hoping to say more after talking with their lawyers.

Micah Lee, a tech advisor to EFF and The Intercept, wrote about the rumors two weeks ago in this story at The Intercept:

https://theintercept.com/2016/11/29/something-happened-to-activist-emai…
Something Happened to Activist Email Provider Riseup, but It Hasn’t Been Compromised
Micah Lee
29 Nov 2016

@ The Intercept: please make sure your reporters's GPG keys as published at The Intercept have not expired! And reporters, please check your Riseup account inboxes. With great caution, since some users report receiving suspected phishing emails.

Regardless of the rumors, as far as I know, Riseup is one of the very few webmail providers which is likely to at least try to fight any NSL or other attempt to exploit "counterterrorism" legislation to harass political dissidents, environmentalists, scientists, technologists, journalists, social justice activists, anti-drug cartel bloggers, and many others who use Riseup.

December 13, 2016

Permalink

rise.up is for communicating between usa guys inside usa territories.
And all is under survey , when i am typing even the admin could censor & replace my words by his own sentences.

riseup is operating under a neocommunist doctrine. If you are alright with people preaching the 'evil of fascism' where 'fascism' is some arbitrary notion of what they don't approve, then I guess you can use their services. If you are not ok with Stalin's ghost, then you should stay clear.

> The Riseup people are as far away from Stalinism as they could possibly be.

Indeed.

> They're anarchists.

Well, not that either, not really. A very old version of the article at Wikipedia

https://en.wikipedia.org/wiki/Riseup

did characterize Riseup as an "anarchist" collective, but Riseup itself does not mention anarchy in their own statement of political principles:

https://riseup.net/en/about-us/politics

The current version of the Wikipedia article says:

> Riseup is a volunteer-run collective providing secure email account, email list, VPN, online chat, and other online services; the organization was launched by activists in Seattle in 1999.

Hope this clears up the nature of Riseup's political stance.

I bet the Riseup collective wouldn't know the difference between fascism, nationalism and nazism. So it's funny they ask for differentiation between anarchism and stalinism or whatever they call it now.

Hello ,
These "words" [anarchist,socialist,communist,fascism,etc.] are coming from an old historic culture and are not understood by young 'nation' ... so you know , the usa and his knowdledge of the politics ...
Cheers.

So only "old nations" such as Russia, but not "young nations" such as the USA, are capable of understanding political/historical terms?

But aren't we (Americans) all Russians now? Now that a Putin puppet has been "elected" to run the USG?

> So...
May i answer to you quietly ?
The 'political/historical terms' in reference were known by a struggle during few hundred of centuries and learn before during few thousand ...
A - your culture -usa- is non-existent :
How could you understand "terms" that you have not built with your blood ?
e.g. An anarchist in the usa is a tramp hiding in a train.
e.g. A socialist in the usa is a policeman who is speaking about his italian village.
e.g. A communist in the usa is someone who earns his money in the usa but spends it in cuba
B - your history -usa- is empty :
e.g. The us_ speaks between foreign civilization by a commercial agreement and it is forced not discussed and at our advantage.

> But ...
Russia & Usa are allies and trump-putin are a better solution for the peace & the development than E.U _ if you should have preferred an abandoned [lost nation ?] country without identity governed by the downiest people , why have not voted for their opponent ?
If you are a genuine or a native american (i have few doubt about that but who knows ..); you should look at that you win (a clean & strong nation) & not that you loose (the trash-rap dance-ist).

I dare you: pilot an ultralight into the courtyard of the cadet barracks at West Point Military Academy and *say that again*! :-)

Actually, this one is quite funny:

o An American anarchist is a tramp hiding in a train.

But what does it mean? Is it some kind of dig at Woody Guthrie?

I hear that Putin was sorely annoyed when Bob Dylan won a Nobel Prize, because for reasons known only to himself, he felt he should have won.

Be this as it may, your deprecation of American political dissidents begs the question: if American anarchists are such wimps, why is the FBI so frightened by them?

Assuming for the sake of argument that the feds are not also wimps (which admittedly may be the simplest explanation), one answer is that the only mission statement FBI cares about, follows closely, and is somewhat effective in fulfilling (in common with too many other agencies operated by various governments) is: "dont embarrass the agency". And the following tells the short story of a big embarrassment early in the FBI's disreputable history of failure and oppression:

https://en.wikipedia.org/wiki/Mario_Buda#Wall_Street_bombing

Yes, you read that right--- before the truck bomb there was the horse-drawn buggy bomb. Good grief.

Anyway, at Riseup we plan marches, media stunts, that kind of thing. And the FBI always claims that they "must" [sic] spy on us all every minute because there might be *someone* somewhere who isn't satisfied with nonviolent approaches to politics. And we reply that using that kind of hypothetical, you can "justify" any oppression. Wonderful.

In short , you have not the official right to manifest _ you have not won it and no one has given it to you so you are acting illegally and for nothing (if ouba_ouba & harry_son had to do something they should have yet did that ! ).
*the political terms in reference are a right given by the congress (1897/1929/1962) & have not such importance than a struggle from at least 1000 years.
*i did not know that dylan-bob was looking for a job hiding in a train living with his misery in 1929.
*a false history/opinion from fake usa guy (or russian) even studying at west point are for useless & criminal immigrants.
*i did not know that putin the great had the ambition to be an american citizen walking on the street with his guitar singing 'i love new-york'
*Agencies do not care of the protesters , a bonus is given when someone is matched & arrested
in short , you need some education and certainly not a civilized world.

> you have not the official right to manifest _ you have not won it and no one has given it to you so you are acting illegally

I *think* you might be claiming that

o I am posting opinions which have not been sanctioned by officials of my government (or yours?)--- I'm proud to affirm that this at least is correct!

o I am implicitly asserting a universal right to free speech--- damn right I am!

o No government has offered me or anyone else such a right--- this one is wrong; you should possibly read the Bill of Rights, and then the Constitutions of some non-USA nations, many of which enunciate a universal right to free speech; you surely recognize that Tor Project is all about the universal right to free speech, so you must know you are not likely to win many adherents in this blog.

> and for nothing (if ouba_ouba & harry_son had to do something they should have yet did that !

This is sufficiently incoherent to cause me some concern that I might be trying to argue with a nonhuman "author". If not, how strange that modern technology has maneuvered a passionate defender of human rights into the worst violation of all--- expressing doubts about the humanity of a human. Good grief. Sometimes it appears literally impossible to exist in the 21st century without being not merely a criminal, but the worst kind of criminal. I can only hope that my expression of doubt about my doubt will absolve me in this instance.

> even studying at west point are for useless & criminal immigrants

So you criticize West Point for... admitting the occasional first generation immigrant?

I can think of all kinds of criticisms, but open admission of qualified candidates regardless of ethnic origin is not one of them.

> i did not know that putin the great had the ambition to be an american citizen walking on the street with his guitar singing 'i love new-york'

I notice you are not denying the rumor that Putin, like Hitler, fancies himself a meritorious artist.

> Agencies do not care of the protesters , a bonus is given when someone is matched & arrested

I *think* you might be stating, with approval, that Surveillance State operatives are given a bonus each time they deanonymize someone, leading to an arrest. No doubt, but what is your point?

> you need some education and certainly not a civilized world.

I *think* you might be stating that you want to send privacy advocates to some kind of political re-education camp, and that defenders of human rights do not deserve the benefits of civilization.

We would argue that the best of all benefits are the rights to live as a human being free to travel, associate, read, think and write freely, to own our own lives and to have the opportunity to define for ourselves who we are and what we want to be the focus of our own lives. But it seems you want to deny us all of these rights.

> i did not know that putin the great had the ambition to be an american citizen walking on the street with his guitar singing 'i love new-york'

Melodiya Records
Balalaika arr. by V. Putin
Sung by V. Putin
Tune by L. Bernstein

From the title track, "Trump-Rossiya Makeover":

New York, New York,
It's a sodomite town,
Let's blow it up, let's blow it down!
Make it glow, make some dough,

While their political stance troubles me, I think that a pragmatic alliance is a valid approach.
I am willing to follow the "enemy of my enemy" rule if it comes to something so benign as using a group's internet service.

And you should also mention that the real version of this page used to be quite different. The riseup team decided recently to change it into what you linked to because of the negative controversy against their original manifest, which used to be their flagship for years.

Citation?

I've been a member for many years and the page has not changed in that time.

But in any case, any collective is entitled to change its political stance is response to drastically changed political conditions, agreed?

> these days 'communities of resistance' are mostly nationalists

Do you have any evidence for that?

You are most likely correct that few Riseup members adhere to nationalist, much less racist or genocidal views, and those who espouse the latter are sure to be politely asked to close the door quietly as they leave.

>> riseup is operating under a neocommunist doctrine. If you are alright with people preaching the 'evil of fascism' where 'fascism' is some arbitrary notion of what they don't approve, then I guess you can use their services. If you are not ok with Stalin's ghost, then you should stay clear.

It seems you may be Russian.

I wonder whether you might be prepared to admit that a poem which Yevtushenko wrote (in English) about the unexpected (to CIA) collapse of the USSR seems newly relevant to the situation facing American dissidents after the election of the openly pro-Putin authoritarian, Donald Trump:

> We buried our icons.
> We didn't believe in our own great books.
> We fight only with alien grievances.
>
> Is it true that we didn't survive under our own
> yoke,
> Becoming for ourselves worse than our foreign
> enemies?

ISIS is awful, but to many it seems clear that US and RU regimes are far more dangerous to the average citizen living anywhere in the world, but perhaps especially to those living in US or RU.

That is what GPG is for. You can ensure that the admin of Riseup (or of the Tor Project blog. I'm not entirely sure which you meant) cannot replace what you said with anything else. They could try to censor you outright, but they could not forge your words.

> rise.up is for communicating between usa guys inside usa territories.

Not true. For example, civil libertarians in Spain used Riseup to organize to oppose the "Vomit Law". Political dissidents use Riseup to track political corruption in Latin America and Africa. Dissidents around the world use Riseup to stay in touch.

You may be interested in this story:

http://arstechnica.com/security/2016/12/hack_attacks_on_black_lives_mat…
The DDoS vigilantes trying to silence Black Lives Matter
The Web lets anyone be a publisher—or a vigilante.
Corin Faife
14 Dec 2016

If the moderator allows, I will explain the connection with the potential for server seizures in another comment. If the moderator permits, I hope to explain why this story, which might seem to validate your concern, should *not* deter anyone from using Riseup; quite the contrary, on the whole IMO you are unlikely to find a safer place to be an activist on-line than Riseup.

your story has nothing to do with usa based vpn used by rise.up and your link is not in https : please stop write above and under every post without reading the subject !
thank you !

> your story has nothing to do with usa based vpn used by rise.up

You mean the VPN service offered by Riseup Networks (riseup.net)?

There is a connection, but the comment explaining it in detail was apparently not passed by the moderator, I don't know why not. (It is also possible, I suppose, that it vanished into the ether due to enemy interference with the connection to blog.torproject.org via Tor nodes possibly operated by an unfriendly entity such as GCHQ or GRU.)

Interested persons can search for stories about a seizure by FBI of a server operated by Riseup for MayFirst, which was first reported by Riseup itself with a clear explanation of why the consequences for Riseup itself were (fortunately) minimal. The seizure was part of a worldwide raid by FBI in which dozens of servers operating remailers were seized, in a failed attempt to stop an unknown actor who was allegedly using remailers to send bomb threats. AFAIK, no actual bombs were ever discovered, and the threats continued well after the raid.

OK, it appeared; see

> Did you mean that seizures of servers by US LEAs endanger activists outside the USA *more* or *less* than activists inside the USA (and thus easily arrested by those same LEAs)? If the latter, well, obviously. If the former, please explain your reasoning.

Thanks to the moderator for your generosity.

> but the vpn are based in the usa : dangerous for non-residents.

Did you mean that seizures of servers by US LEAs endanger activists outside the USA *more* or *less* than activists inside the USA (and thus easily arrested by those same LEAs)? If the latter, well, obviously. If the former, please explain your reasoning.

It is unfortunately true that activist collectives around the world frequently experience harassment, including equipment seizures and even raids by local "security authorities".

For example, a Brazilian sister to Riseup had a server seized during political unrest in that country:

https://riseup.net/en/about-us/press/sarava
Riseup stands in solidarity with Saravá
26 April, 2014

>> The Saravá Group is facing the imminent threat of the seizure of its main server by the Public Prosecutor in Brazil. This action comes at a time when Brazil is hosting netmundial, a conference on the future of internet governance. Ironically, earlier this week Brazil passed legislation touted as a “Bill of Rights” for the internet. Yet only days later...

Another group with somewhat similar aims, MayFirst, had a server seized by FBI from the NYC field office in 2012 in connection with FBI's increasingly desperate attempts to identity an anonymous person who was threatening schools in another US state. Because that server was in a colocation facility where MayFirst and Riseup shared space, Riseup users were also affected (but the damage was quickly repaired; the seized server was never used again out of fear that FBI had planted an APT backdoor on it; I do not know the outcome of forensic examination which attempted to find and reverse engineer any malware planted by FBI).

Here is Riseup's statement about that event:

https://riseup.net/en/about-us/press/fbi-seizes-anonymous-remailer
FBI seizes server providing anonymous remailer and many other services from colocation facility.
Attack on Anonymous Speech
20 Apr 2012

>> On Wednesday, April 18, at approximately 16:00 Eastern Time, U.S. Federal authorities removed a server from a colocation facility shared by Riseup Networks and May First/People Link in New York City. The seized server was operated by the European Counter Network (“ECN”), the oldest independent internet service provider in Europe, who, among many other things, provided an anonymous remailer service, Mixmaster, that was the target of an FBI investigation into the bomb threats against the University of Pittsburgh
>> ...

(A small digression, if I may: the modern city of Pittsburgh was a wilderness sparsely populated by persons of European origin during the Washington administration. In 1791, after the Treasury Secretary, Alexander Hamilton, imposed the first major federal tax, on whisky sales, farmers in the Pittsburgh area revolted in the so-called "Whiskey Rebellion", because they relied on local sales of whisky for cash. Washington himself led an army of regulars against the rebellious Americans. Owing to a painful back injury suffered in a fall from a horse some years previously, he soon turned over command to Hamilton, who was also a U.S. Army General. The army attacked some farmhouses and eventually arrested most of the rebel leaders, as well as moderates who were trying to make peace. For some time it appeared likely that Hamilton would carry out field executions, but Washington intervened and pardoned most of the rebels. As this story shows, credible threats to American citizens from the U.S. federal government, and from the U.S. military, are hardly a novel phenomenon. And Hamilton was no saint.)

Dozens of servers in other countries (not associated with Riseup) were seized using the same warrant:

http://arstechnica.com/business/2012/04/fbi-seizes-activists-anonymous-…
FBI seizes activists’ anonymous remailer server in bomb threat investigation
Remailer was in chain of U. of Pittsburgh threats, but not the source, say activist owners.
Sean Gallagher
20 Apr 2012

> Agents of the Federal Bureau of Investigations seized a server belonging to an Italian Internet service provider on Thursday as part of an investigation into a series of anonymous bomb threats sent to the University of Pittsburgh. But the groups associated with the operation of the server are calling the seizure an attack on Internet anonymity.

It is notable that the University of Pittsburgh continued to receive threats after this notorious worldwide raid, proving that FBI sees no ethical violation in harming innocent civilians all over the world when its absurdly vaunted reputation is endangered. The servers were eventually returned but of course they could not be used again.

Riseup itself has come under direct attack from various governments, including both governments allied with and hostile to the US government.

A well known example: during street protests against the "Vomit Law" in Spain, a misguided Spanish judge declared Riseup a "terrorist organization" under the broadly written "counter-terrorism" law which had just been enacted in Spain (the "Vomit Law" itself, the very law being protested). In that case, the US DOJ apparently decided that Riseup did not fit the (also very broad) definition of a "terrorist group" under US law.

Less well known examples include apparently stated-sponsored phishing campaigns tied to intelligence agencies maintained by UK and RU, among others.

The widely reported leak of the internal emails of the notorious Italian espionage-as-a-service company Hacking Team showed that someone using an account tied to the Czech national police had ordered up a HT malware tailored for attacking the Riseup mail server. It was not clear from those emails whether he intended to attack all Riseup users, or just one specific user, much less the reason why. It was however clear that he, like many others who hire HT, was pretty clueless about the dangerous tools they wanted to use.

MayFirst also continues to come under nasty attack from various sources. An excellent story which just appeared in ArsTechnica:

http://arstechnica.com/security/2016/12/hack_attacks_on_black_lives_mat…
The DDoS vigilantes trying to silence Black Lives Matter
The Web lets anyone be a publisher—or a vigilante.
Corin Faife
14 Dec 2016

>>> “Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.” These aren’t the words of a politician or a prison guard but of a Web designer. Gabriel owns Haki Creatives, a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her.
>>> ...
>>> Since its creation, pushback against BLM has been strong in both the physical and digital world. The BLM website was taken down a number of times by DDoS attacks, which its original hosting provider struggled to deal with. Searching for a provider that could handle a high-risk client, BLM site admins discovered MayFirst, a radical tech collective that specializes in supporting social justice causes such as the pro-Palestinian BDS movement, which has similarly been a target for cyberattacks.
>>>
>>> MayFirst refers many high-profile clients to eQualit.ie, a Canadian not-for-profit organization that gives digital support to civil society and human rights groups; the group’s Deflect service currently provides distributed denial of service (DDoS) protection to the Black Lives Matter site. In a report published today, eQualit.ie has analyzed six months’ worth of attempted attacks on BLM, including a complete timeline, attack vectors, and their effectiveness, providing a glimpse behind the curtain at what it takes to keep such a site running.

A salient point about these attacks is that social media sites catering to US police officers (yes, they exist; some are even taxpayer funded!) are chock full of ugly (and badly misinformed) opinions about BLM, raising the possibility that the attackers may include (off duty?) cops or misguided supporters of the rabid Sheriff of Milwaukee County, David Clarke. Clarke has stated in numerous editorials that he believes that the USA is in a state of "civil war" (his words) between BLM and the government. Anyone who has compared recent video footage from Aleppo and Milwaukee will probably be disposed to dismiss Clarke as a lunatic, but he enjoys a large following among armed hotheads, which makes him a very dangerous in American politics. And he is apparently being considered for some high level post in the incoming Trump administration.

How should activists react to such threats? With fearful retreat? Certainly not! We must rather redouble our efforts to oppose everywhere the encroaching tide of Fascism which has spread to such formerly democratic nations as the USA and Spain.

Remember, even after Hitler became Chancellor in Germany, if more ordinary citizens had protested against his illegal actions targeting political dissidents, Gypsies, gays, disabled persons (the first mass killings exterminated institutionalized severely mentally disabled patients who were killed in the very asylums where they had been incarcerated), and Jews, Catholics, and other ethnic/religious groups, the Holocaust might never have happened. Even then, after so many disasters for civil liberties had already occurred, it might have been prevented if only more people had acted with courage and resolution.

For invaluable insight into how state sponsored genocides develop, please see:

http://www.genocidewatch.org/genocide/tenstagesofgenocide.html
The Ten Stages of Genocide
Gregory H. Stanton

>>>> Classification Symbolization Discrimination Dehumanization Organization
>>>> Polarization Preparation Persecution Extermination Denial

@ Coren Faife (author of the ArsTechnica story): please obtain Tor Messenger and an account at Calyx Institute and please publish a fingerprint for authentication.

Hi,

> but the vpn are based in the usa : dangerous for non-residents.
<> you wrote a lot but nothing about in connection with the reference : are you a bit out of the reality ?
# Riseup is a nice solution and maybe almost perfect running on its own closed (between closed friend i mean) platform but the new vpn have 2 vpn based exclusively in the usa so as soon as you enter in you are under the usa laws.

> "Remember, ... resolution."
<> you do not know what you are speaking about and there are no connections with the reference * but the vpn are based in the usa : dangerous for non-residents.*

> "For ...Denial"
<> same answer see above
# it must be a female comment from the white house after the defeat.

thx for reading & publishing my comment.

> Riseup is a nice solution and maybe almost perfect running on its own closed (between closed friend i mean) platform but the new vpn have 2 vpn based exclusively in the usa so as soon as you enter in you are under the usa laws.

Yes, but if you and your friends all use gpg, carefully encrypted/decrypted offline, not even Riseup admins can read the contents. If you and all your friends use Riseup, your emails may never even leave the Riseup network, so to perform "traffic analysis" (for example by constructing a graph whose nodes are riseup user accounts, with an edge between each pair of users who have emailed each other), an adversary would have to compromise the Riseup network. Yes, the USG could put pressure on Riseup admins to simply let them snoop on the metadata, but even then not even NSA (probably) could read the contents.

It's not perfect but it's something.

Something which is effective enough to deeply worry the "security authorities" in various nations, it seems, all of whom want to keep a close eye on their own dissidents. But it seems you already know that!

By the way, Riseup does not discourage anyone from forming their own collective in some country they think is safer than the USA. Quite the contrary.

> thx for reading

Sorry if I misunderstood.

> And all is under survey , when i am typing even the admin could censor & replace my words by his own sentences.

Are you talking about Riseup webmail or this blog?

If the former, you can end to end encryption and then no webmail admin can alter your words. Not that I have any reason to think Riseup would ever dream of doing such a thing, or even admins at commercial providers. In most countries, that would be illegal.

Spooks on the other hand operate outside the law in every country and certainly would be happy to alter words if they have intruded into your network.

But don't the quantum inequalities imply that Roger can do only limited damage by bombarding the forces of repression with "negative energy waves"?

Plus one. Every activist should request a Riseup account and use it.

One point is that emails between two people who both have accounts may never leave the mail server. If both use GPG to encrypt/decrypt end to end using only Tails, and store only encrypted emails and only on encrypted data sticks, it will be very hard for an enemy to compromise communications. Even if a Riseup admin were acting under duress at the point of an FBI firearm.

Plus one. Every activist should request a Riseup account and use it.

Isn't one of the advantages of a federal system that all data are on different machines/jurisdictions etc.?

It's much easier to collect data in a centralized environment than an federated system (just think about signal vs xmpp --> whisher systems could be forced to collect more meta data and to hand them over but in a federated system with different jurisdictions it harder to collect all data)

December 16, 2016

In reply to by Anonymous (not verified)

Permalink

Ars chief tech editor Sean Gallagher made some interesting points about this second reported Yahoo megahack:

http://arstechnica.com/security/2016/12/yahoo-reveals-1-billion-more-ac…
Yahoo admits it’s been hacked again, and 1 billion accounts were exposed
That's a billion with a b—and is separate from the breach "cleared" in September.
Sean Gallagher
14 Dec 2016

> On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from over 1 billion user accounts. The breach took place in August 2013, and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor".
>
> The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer Bob Lord reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
> ...
> Yahoo also had found through outside forensics experts that someone had found a way to forge web browser "cookies" that would allow them to gain access to users' accounts without logging in. "Based on the ongoing investigation," Lord said, "we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies…We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

An even more important point: there are many things intelligence agencies can do with the passwords of one billion plus ordinary people all over the world. One of the biggest failures of the USIC is that for decades, despite repeated warnings from concerned citizens, it failed to recognize that by practically encouraging FIS to intrude the poorly protected HIEs (health information exchanges), financial and social media accounts used by millions of ordinary Americans, they were severely endangering the "national security" (whatever that means) of the nation they claim to protect. One megabreach which certainly ought to have served as a wake-up call: the loss of the USG dossiers on all its own employees, including those with security clearances. I am no fan of embattled FBI Director James Comey, but he was among the many victims of that particular hack, as he has publicly admitted. Ironic, funny in a way, but also very sad, because so many of us had tried so hard to warn the US political establishment for years of this particular danger, and our reward was to be persecuted by USIC, which failed to even attempt to correct the problems. And continues to fail even today.

"If you want it done right, do it yourself". If you want to protect yourself from attack by enemies foreign or domestic, you need to protect yourself, because your government sure won't. It's all of them (the governments) against all of us (the People).

That's why we, the People of the world, need Tor more than ever.

December 16, 2016

In reply to by Anonymous (not verified)

Permalink

This is the best assessment I've seen yet of the implications of the recently revealed Yahoo breach of more than one billion user accounts (not the same as a later megabreach which Yahoo revealed about four months ago):

http://arstechnica.com/security/2016/12/what-can-you-do-with-a-billion-…
What can you do with a billion Yahoo passwords? Lots of bad things
Now, Yahoo user data could be behind scores of spear-phishes or other breaches.
Sean Gallagher
15 Dec 2016

> In October of 2013, as a result of documents leaked by Edward Snowden, we learned the National Security Agency tapped straight into the connections between data centers at Yahoo and Google as part of a program called MUSCULAR. A month later, Yahoo announced it would encrypt all of its internal networks between data centers and add Secure Socket Layer encryption and secure (HTTPS) Web connections to all its services. That move, however, failed to prevent two major breaches of user data: a breach affecting user data from more than 500 million user accounts late in 2014 (revealed in September) and the breach revealed yesterday involving data from more than 1 billion accounts. The recent break took place in August of 2013—before the barn door was closed. In addition, Yahoo's chief information security officer, Bob Lord, said that the parties behind the 2014 breach had stolen some of Yahoo's code and used it to forge Web "cookies" that gave access to users' accounts without the need to use login credentials.
> ...

> It's much easier to collect data in a centralized environment than an federated system (just think about signal vs pixmap --> wisher systems could be forced to collect more meta data and to hand them over but in a federated system with different jurisdictions it harder to collect all data)

I interpret your comment to mean that Riseup (which operates servers in WA and NY states in the USA) is too easily attacked or even crippled by US LEAs such as FBI.

True enough, but right now it seems that there is no workable alternative. I'd love to see Riseup establish more partnerships with similar organizations in other countries; that would raise a new danger (that raids anywhere could compromise several international activist collectives), but it could also help ensure that any single collective is harder for one government to simply shut down without notice or explanation, as frequently happens in overtly repressive countries, and which many fear will soon become common in the USA.

As with everything else, for everyone working to promote democracy, international cooperation, political activity by citizens, free speech, and access to truthful news sources, it's all about making tough choices between various alternatives, each presenting serious hazards.

One concern which might be easily overlooked by the technically highly capable people who are likely to comment in this blog is that many US activists are not particularly computer literate, whereas most of the allegedly more technically secure software tools tend to be hard for users to set up, or depend upon everyone using specific brands of smart phone, etc. Some of these tools even require that everyone use the most expensive varieties of specific brands, which would exclude the majority of US activists, who tend not to have middle class incomes.

I may not always agree with technical or strategic choices made by Riseup, but I do believe that they take cybersecurity seriously and that they make decisions carefully, taking account of the fact that activists everywhere are continually attacked in various ways by the intelligence services operated by many countries, including many countries which regard each other as bitter enemies.

I believe that one of the most important strategic activities which the more high profile NGOs such as Tor Project can pursue is to try to encourage the growth of a privacy industry, which could potentially eventually result in much more secure and mass produced hardware being widely available to people of modest means in many countries, and software developers could build upon these strengths to provide Open Source tools which ameliorate existing compatibility issues. (One of the reasons I have such high hopes for Tor Messenger is that it is one tool which appears to overcome many compatibility issues, which I hope could lead to its widespread adoption by activists all over the world.)

> It's much easier to collect data in a centralized environment than an federated system (just think about signal vs xmpp --> whisher systems could be forced to collect more meta data and to hand them over but in a federated system with different jurisdictions it harder to collect all data)

Yes, but if two people both using Riseup are using end to end encryption, taking care to encrypt/decrypt using protected keyrings under Tails when not connected to the webmail server, it should be much harder for enemies to read our communications or to deanonymize us, or even to detect that we are communicating at all. Even if FBI were forcing a Riseup sysadmin to provide "transparent" access to the server at the point of a gun, FBI would potentially learn only that two specific user accounts (or, by combining with NSA dragnet, two specific citizens) are communicating, not what they are saying. Obviously if these are a reporter and a whistleblower, that would be very bad, but it is possible the agency would not be able to easily spy on content, at least not without a raid, which would alert the parties that their communication/anonymity has been compromised.

Currently, offense is so much easier than defense that state-sponsored attackers have all the advantages against ordinary citizens trying to make the world a better place. To some extent, damage to our cause may be inevitable. If so, we need to fall back on simply trying to migigate the damage, and perhaps to carry on, despite relentless assault from all the most repressive governments in the world.

December 15, 2016

Permalink

Riseup.net runs a mail service and use dns blacklists to filter incoming emails unbeknownst to their users.

Worst of all, not only riseup.net rely on third party stealth blocking, they pay a membership to spamhaus.org, the world's most corrupt pseudo anti-spam gang.

This makes riseup.net a sponsor of censorship and a contributor to a money laundering, extortion and fraudulent company.

For this reason, I will never donate to riseup.net

> Riseup.net runs a mail service and use dns blacklists to filter incoming emails unbeknownst to their users. Worst of all, not only riseup.net rely on third party stealth blocking, they pay a membership to spamhaus.org, the world's most corrupt pseudo anti-spam gang.

Do you have any evidence for that claim?

Generally speaking, I happen to share your concerns about spamhaus, but would point out that Riseup does not have the financial resources to operate an independent blacklist, yet just like any other webmail provider the collective must try to protect it users from attack by all the world's crooks (not to mention all the world's spooks), so Riseup is no doubt often caught between a rock and a hard place.

> I will never donate to riseup.net.

I think you might be throwing out the baby with the bathwater then.

All pro-democracy organizations are targeted by so many enemies, and on the Internet the attacker has all the advantages. Which engenders hard choices between less than desirable alternatives.

Clearly for the foreseeable future no one freedom loving collective will be the perfect venue for all activists, but even more clearly, dissidents around the world cannot and must not simply shut down all their activities in defense of free speech and getting the word out about governmental corruption and abuse.

December 16, 2016

Permalink

I don't understand why so many people end up using riseup.net. Surely they support some activism, but it's the kind of activism that borders on thug worship. Many so called collectives using and endorsing riseup.net are the kind that brutally attack a lonely person for wearing the wrong clothes. I know there is a nifty page on the principles of riseup.net that caters for almost everyone, but the standard page for years clearly stated that you have to strictly adhere to standard leftist ideology.

So what if someone perceives you don't adhere to that ideology? Or that you are some sexist pig using their shiny services? What tells me they won't spy on you or even snitch?

I just don't trust that kind of thinking and don't find it belongs to privacy. More like a niche market that definitely isn't for people not into such politics.

You do not understand : as soon as you use an o.s or an app ; you support and you adhere if not , you should go away and never enter in the net world ; it is not for you ...

Fortunately the 'philosophy-policy' is clear and you cannot make an error and even try before adopt it but the net is built on few principles like the 'community' , you cannot be a tourist or a deficiency intellectual (except trying microsoft of course) or a border line (except trying gay-apple or the geek-tweak) and certainly not a bad guy (except trying google,us email, uk serverl etc.) ... choose that it suits you & presto !

Rise.up has a very good & famous reputation so your critics & calumnies are like the cry of a predator who do not find a prey : a stupid thing coming from a stupid mind , a shame. ...

legal and illegal are just points of view and can be manipulated for one's own agenda - voting Conservative is a crime in some peoples eyes and smoking cannabis in others , but persecution is universally , in comes tor and Riseup

The highway metaphor is often surprisingly apt.

Almost everyone who drives is using the road system to go about their ordinary quiet lives. But from time to time some erratically driving person whizzes by these ordinary drivers at a high rate of speed, closely followed by the State Police.

The problem for ordinary citizens is that at the dawn of the 21st century, governments all over the world seem to be turning in unison to the autocratic ideology which says "either you support the regime in everything, or you are a criminal".

Riseup is trying to navigate between Scylla and Charybdis, to make a reasonable context-aware distinction between behavior just about anyone would regard as genuinely criminal, and political crimes, which we regard rather as an expression of democratic impulse, of the freedoms of speech and assembly. A government cannot deny these and be truthfully labeled "democratic".

I won't deny that from time to time you might encounter a nasty person using the Riseup Network. A criminal, a troll, an informant, or even a spook. Riseup operates on a shoestring budget and certainly does not have the resources to vet users, so it creates accounts on the honor system. It also does not have a billing system, but asks users to contribute every few months, again using the honor system. Which shows that the People must not be as bad as the Man thinks we are, because after ten years, Riseup is still around and doing great work. Capitalism, eat that!

Returning to the highway metaphor, I find it fascinating that at the dawn of the 20th century, numerous American police chiefs expressed in editorials published around the nation their view that automobiles should be banned. Why? Well, it seems that some early adopters were using horseless buggies to, yes, rob a bank and drive away faster than the pursuing cops (on foot or at best on horseback) could follow. Of course as everyone knows, Henry Ford was not declared a criminal, and the cops eventually started to buy their own fast automobiles and eventually realized that bank robbery was problem for law enforcement, but not a problem which they could not solve without banning automobiles. Anyone who knows this bit of American history must surely be reminded of embattled FBI Director James Comey's monomaniacal fixation on banning strong civilian encryption, despite the economic havoc that would create.

> to the autocratic ideology which says "either you support the regime in everything, or you are a criminal".
/ no, it is a middle-age mentality (so you are living in a very old period with very modern tool)
> using the honor system.
/ no, good faith is more appropriate (so sincerity has nothing to do with bad vs good).
> a nasty person using the Riseup Network.
/ no, it is for everybody. (disclaimer yet do it).
> Returning to the highway metaphor
/ failed impact (i do not understand your metaphor sorry).
> Riseup is trying to navigate between Scylla and Charybdis.
/ Charybdis and Scylla ? (i do not understand your metaphor sorry)
/ Repeating like a parrot that you read or heard is a good exercise for the memory but why do you not write it in a little bit more coherent style please ?

December 16, 2016

Permalink

Riseup is doing the best they can ! they really don't care if you to go some where else . like yahoo , maybe they will work out better for you , maybe use xampp let's hope those servers are configured secured for you

Ha, you remember when it turned out the silk road guy apparently did something similar? Anybody who shows up anonymously hyping some website should cause people to wonder why they're doing it.

Stay safe out there.

December 20, 2016

In reply to arma

Permalink

I almost misunderstood your post, but after reading it a second time: plus one, twice!

(Note: the first sentence is addressed to the previous commentator, the second to all Tor users.)

December 21, 2016

Permalink

Riseup.net is a controversial organization with some shady political views. They sound like the people who would gladly silence everyone else if they could. I guess their existence shows the versatility of Tor, though they would operate perfectly fine even without Tor as many Soros lovechildren.do. Still, it's strange that they are used to showcase a tool for freedom of expression.

> Riseup.net is a controversial organization with some shady political views.

And what do you think about the party line pushed at Breitbart and 55 Savushkina Street?

> They sound like the people who would gladly silence everyone else if they could.

Is it possible that you are "projecting" your own inclinations onto others about whom you know essentially nothing?

January 31, 2017

Permalink

Definitely do not want to discourage anyone from using Riseup--- quite the opposite--- but the latest batch of leaked FBI documents published by The Intercept show that

1. FBI agents enjoy wide latitude for deciding (without any need to ask a judge or even an FBI lawyer for advice) whether an NGO is "legitimate",

2. FBI agents can target websites/networks/NGOs without a warrant if they suspect "terrorists" (another term they can define pretty much however they want) might be using it to "spread propaganda" or "recruit members".

See

https://theintercept.com/2017/01/31/undercover-fbi-agents-swarm-the-int…
Undercover FBI Agents Swarm the Internet Seeking Contact With Terrorists
The FBI’s online activities are so pervasive that the bureau sometimes finds itself investigating its own people.
Cora Currier
31 Jan 2017

> According to the guide, an online counterterrorism investigation can target websites or online networks that the FBI believes terrorists are using “to encourage and recruit members” or to spread propaganda. Such probes may extend to the administrators or creators of those forums, as well as people engaged in “the development of communications security practices” or “acting as ‘virtual couriers’ for terrorist organizations by passing online messages among members or leadership.”

Be careful out there! But also: be bold!