On Wednesday, March 7, 2018 at 8:11:25 PM UTC+1, Tim W wrote: > I am sorry what is reason so many people want to get and use a riseup.net > account outside political or some other social reason > > They had their canary down for over a year because of gag order from the feds. > > They have totally rewritten there canary statement since which was prior very > clear and concise. Now it looks to be heavily lawyered careful play on > words...thus its vague using words that can having wide varying meaning. > what is omitted is any speech with the words warrant, gag order, NSL. If > they get any of those it will NOT of itself require them activating the > canary protocol. > > Here is their old Canary statement followed by the new one: > > OLD: > riseup has not received any National Security Letters or FISA court orders, > and we have not been subject to any gag order by a FISA court, or any other > similar court of any government. Riseup has never placed any backdoors in our > hardware or software and has not received any requests to do so. Riseup has > never disclosed any user communications to any third party. > > > NEW: > Riseup positively confirms that the integrity of our system is sound. all our > infrastructure is in our control, we have not been compromised or suffered a > data breach, we have not disclosed any private encryption keys, and we have > not been forced to modify our system to allow access or information leakage > to a third party. > > > Unfortunately we cannot use common sense to read these but they must be read > thru the eye of a laywer I think you really see the effects of the rewritten > statement. > > From what I can tell the system is closed source. They no longer offer any > form of encryption. I must all be done on your email client. There is no > two factor authentication. The user name and password to get your into your > mailbox from what I can see maybe moot as there is no info on any use of > encryption outside users manually or thru a client using gpg. If that is > correct then any mail not gpg encrypted is sitting in the mailbox in > cleartext. Unless there is something like AES 256 protecting the mailbox via > your password but then that means thru the recovery passcode system they very > well can get back into your mailbox even with lost credentials and no reset > alternate email address. > > For a person that plans to gpg encrypt all their emails what does this offer > anyone over the other free email accounts. Sure your contacts are not mined > to hell and back but in terms of email content I see no difference and > actually lower login security. > > I was looking at the thread and it looks like around 40 people requested > referral codes on this thread while the canary was expired. One person even > mentioned it and it went uncommented on. > > Compare this to say protonmail its not even remotely close. As both can be > had for free and without all the need for referrals as its targeted toward > liberal/social/anticapital political change groups not sure the point? > Elitism? > > I honestly was surprised so many people on this list asking for it and where > unphase by the fact the canary was expired and it was known they were under a > gag order. We make a big deal about a close source binary blob for a driver > or firmware to a nic or gpu yet a closed source email provider system with a > triggered canary and no one misses a beat? I know the thread was off topic > and has been running for years and why I never even read it till now for no > other reason than I was wasting time but wow I am surprised.
Yeah your concerns are legitimate. I guess they changed canary to make it more usable. Old one was a bit awkward since due to warrant they were not able to update it or comment anything about it. New one doesn't cover subpoenas and gag orders, but only covers infrastructure they control and are always free to comment on. So new canary is not as reassuring as old one, but new one will not cause this 6 months old radio silence when users didn't know what is going on. Btw old gag order and investigation was because of some cryto blackmailing. I think I found this somewhere on riseup canary pages. You are right there is nothing else than username and password protecting your account. But this is the same for every other non two factor authentication account. And two factor isn't perfect either. And they are as far I know closed source so you just have to trust them. Which is again same as majority of other email providers. You mentioned that "They no longer offer any form of encryption." This is not true. After that gag order debacle they introduced new encrypted mailboxes. https://riseup.net/en/about-us/press/canary-statement Under this new system (if what they claim is true), feds will not be able to read any emails if they don't have password of account. Under old system riseup admins were able to provide content of emails to feds without your password, under new system they cant. (New system also doesn't allow admins to reset your password if you forget it) So to answer your question, I guess people are recently rushing to riseup because it is "known as secure" and they trust the sources where they heard that. I reality nobody can be rally sure if whole thing is not just honeypot. And most importantly. You said that if you encrypt your emails with PGP, riseup doesnt offer much more than any other free email provider. This is mostly true. But for people that are switching from using gmail, this is still huge step forward, since riseup promises they wont mine emails content to serve users ads or manipulate them in any other way. ANYONE USING RISEUP FOR SECURITY CONCERNS, SHOULD STILL USE MANUAL PGP ENCRYPTION OF EMAIL CONTENT AND BE CAUTIOUS WITH SUBJECT OF EMAIL (emails are old technology and data travels between email servers unencrypted) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/08da8600-9811-422e-9e03-35a20b447d9e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
