Re: [liberationtech] Riseup registration process a bit odd...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/10/13 16:50, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? The site name is visible, but not the rest of the URL. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSb92eAAoJEBEET9GfxSfMjpUH/RQDPP6H8Dz5NVNKHorfoxb0 ehAK4g99o51zt7B0123HMLnyTwK+uTOqMSwGuTFwFH0Ma/ohGOJ4FJPQs/MnkqOH fOQCYjHN7w4IPg8PaaSO/MXmFEwK9sagQatz0T4HyKRZJba1+xJUVi+f1fch6ChF GwAfevc7dW2GSCGUpUu4//rbF5ZxHTvDpKJJyXjCD/ME98i3IHBiHNpPK1SyE23B SUTUFBWI2Qhw2heirYYbpI+gf96OTP+1veaMqBGvtLqSsGDBdgIFeRMVwjFBAa3m RTiqX9BbDGwwgyF/gcpA0rkjTKPkQaDSUbHYOmMs/aKnVcUxEAGBX1B4FIxhA0Y= =ScAS -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
On 29/10/13 16:50, Douglas Lucas wrote: Can anyone clarify? When you're using https, all or most of those agents see your location and the website you're visiting. In this case, your 'location' and the fact that you are looking at 'some page within the riseup page'. No one except the riseup server serving you each page (and by extension the admin if they actually 'look', but I could be they don't 'look' unless there is a troubleshooting need) can see what page of the riseup website you are looking at, nor what user name or password you are inputting. In the diagram, https://www.eff.org/pages/tor-and-https when you make the https buttom go green , as in, when you're using https, only 'lawyer' and 'police' of the sysadmin of site.com know more than that, and that only if the sysadmin tells them. tor seems to add more 'agents' who know little if you're using https. People need to understand that tor is for anonymity and https is for privacy - two different tools for two different purposes. better off undetected ;) -- https://network23.org/bou/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
I would assume that they see the port, too. It is also well known that URLs have identifiable signatures based on the number of items retrieved and the packet sizes. In most cases, it is easy to infer the URLs visited. But the encryption should protect data entered into forms. So, the sequences of URLs seen is not available in clear text, but it is not hard to guess correctly. See: http://research.microsoft.com/pubs/119060/webappsidechannel-final.pdf On 10/29/2013 01:09 PM, Sean Alexandre wrote: This site name (or domain name) is exposed, but not the URL. So for example if I browse to this URL using Tor: https://user.riseup.net/ticket/123456/foo.bar The exit node can see the domain name: user.riseup.net but not the URL: https://user.riseup.net/ticket/123456/foo.bar Or, another way to say it is the domain name is part of the URL but is not the URL. On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? Thanks, Douglas On 10/29/2013 07:29 AM, andrew cooke wrote: it's https. no-one else can see the url. http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed andrew On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote: Hi All So I am looking to make a #PRISMBREAK and get a riseup.net account. It will be no secret, as I am aiming for alex.comni...@riseup.net, and I will advertise this publicly. The registration process seems a bit odd. I get an HTTPS link to check my ticket. The link looks something like https://user.riseup.net/ticket/**/*** The first set of stars is the ticket number, the second is the email address used to register. I can I believe visit this link to monitor the progress of my ticket. However, any one on the network I used to register, and all the way along the internet to riseup.net can see this link, if I used TOR, presumably the exit node. The link reveals that I have a ticket with riseup and intending to register, the email I am using to register it. The link can then be followed by anyone who saw it along its way on the internet, and my ticket read with my possibly private motivation for doing so elaborated (does not require a login). My link was: https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com Replace the words in square brackets with punctuation, and I invite you to read my motivation to open a riseup account. I am no information security professional, so please let me know if anyone else thinks the registration process may be a bit insecure. Kind regards. ... Alex Comninos | doctoral candidate Department of Geography | Justus Liebig University, Gießen http:// comninos.org | Twitter: @alexcomninos -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
people are saying that the site name is visible, but that's not strictly correct. a server can have many names. with https, someone can see which server you connected to, but they don't see which name you used to do so. (although a very powerful attacker might be able to infer that from other data - dns quereies) the eff tor/https diagram (which is excellent) assumes that the server has a single name (site.com), which is often the case (especially for large, popular sites). then it is easy to infer the name from the server. i don't know of anywhere that this is used, but in principle a server could host https://catlovers.com and https://terrorism.com, with the first providing cover for the latter (why are you connecting to terrorism.com? i am not; i am looking at cute pictures of cats!). but as someone else said, some information will leak with the size of packets, etc, so it probably isn't that secure or useful anyway. to understand this further you need to understand the concept of layered protocols. the ssl/tls layer is below the http layer and above the ip layer. so the ip address is visible, but the site name (in the http data, in the url) is not. andrew On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? Thanks, Douglas On 10/29/2013 07:29 AM, andrew cooke wrote: it's https. no-one else can see the url. http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed andrew On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote: Hi All So I am looking to make a #PRISMBREAK and get a riseup.net account. It will be no secret, as I am aiming for alex.comni...@riseup.net, and I will advertise this publicly. The registration process seems a bit odd. I get an HTTPS link to check my ticket. The link looks something like https://user.riseup.net/ticket/**/*** The first set of stars is the ticket number, the second is the email address used to register. I can I believe visit this link to monitor the progress of my ticket. However, any one on the network I used to register, and all the way along the internet to riseup.net can see this link, if I used TOR, presumably the exit node. The link reveals that I have a ticket with riseup and intending to register, the email I am using to register it. The link can then be followed by anyone who saw it along its way on the internet, and my ticket read with my possibly private motivation for doing so elaborated (does not require a login). My link was: https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com Replace the words in square brackets with punctuation, and I invite you to read my motivation to open a riseup account. I am no information security professional, so please let me know if anyone else thinks the registration process may be a bit insecure. Kind regards. ... Alex Comninos | doctoral candidate Department of Geography | Justus Liebig University, Gießen http:// comninos.org | Twitter: @alexcomninos -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
On 29 October 2013 17:49, andrew cooke and...@acooke.org wrote: people are saying that the site name is visible, but that's not strictly correct. a server can have many names. with https, someone can see which server you connected to, but they don't see which name you used to do so. Yes they do: its included in the Server Name Indication extension. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
getnameinfo() should provide a list of DNS names associated with the IP address. So that catlovers.com and terrorism.com would both be included. Of course, the machine can have multiple IP and DNS names. On 10/29/2013 01:49 PM, andrew cooke wrote: people are saying that the site name is visible, but that's not strictly correct. a server can have many names. with https, someone can see which server you connected to, but they don't see which name you used to do so. (although a very powerful attacker might be able to infer that from other data - dns quereies) the eff tor/https diagram (which is excellent) assumes that the server has a single name (site.com), which is often the case (especially for large, popular sites). then it is easy to infer the name from the server. i don't know of anywhere that this is used, but in principle a server could host https://catlovers.com and https://terrorism.com, with the first providing cover for the latter (why are you connecting to terrorism.com? i am not; i am looking at cute pictures of cats!). but as someone else said, some information will leak with the size of packets, etc, so it probably isn't that secure or useful anyway. to understand this further you need to understand the concept of layered protocols. the ssl/tls layer is below the http layer and above the ip layer. so the ip address is visible, but the site name (in the http data, in the url) is not. andrew On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? Thanks, Douglas On 10/29/2013 07:29 AM, andrew cooke wrote: it's https. no-one else can see the url. http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed andrew On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote: Hi All So I am looking to make a #PRISMBREAK and get a riseup.net account. It will be no secret, as I am aiming for alex.comni...@riseup.net, and I will advertise this publicly. The registration process seems a bit odd. I get an HTTPS link to check my ticket. The link looks something like https://user.riseup.net/ticket/**/*** The first set of stars is the ticket number, the second is the email address used to register. I can I believe visit this link to monitor the progress of my ticket. However, any one on the network I used to register, and all the way along the internet to riseup.net can see this link, if I used TOR, presumably the exit node. The link reveals that I have a ticket with riseup and intending to register, the email I am using to register it. The link can then be followed by anyone who saw it along its way on the internet, and my ticket read with my possibly private motivation for doing so elaborated (does not require a login). My link was: https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com Replace the words in square brackets with punctuation, and I invite you to read my motivation to open a riseup account. I am no information security professional, so please let me know if anyone else thinks the registration process may be a bit insecure. Kind regards. ... Alex Comninos | doctoral candidate Department of Geography | Justus Liebig University, Gießen http:// comninos.org | Twitter: @alexcomninos -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
Il 10/20/13 5:02 PM, anon14...@safe-mail.net ha scritto: On 18.10.2013 20:20, Fabio Pietrosanti (naif) wrote: Generally is not valuable to use only 1 email provider, because email is made up of many pieces: - Inbound flow - Outbound flow - Data storage That require a user to have at least 3 different providers by: - Splitting your communication flow - Stay on countries with (strong economy strong privacy law) I’m asking on the practical side of the plan. I mail Mr. A. Mr. Now, second email is more likely to end up in Spam. And there are so many yuppies writing about the glory of having a Spam filter. So most people think spam means bad and that’s it. Having the email address in the addressbook might help. But that leads to my second point: Mr. A, assuming he understands I’m the same person from a second email, hits reply, creating an inboud flow to a mailbox made for outbound trafic. Never found a way to fix that. To fix the scenario you described you can just add a third flow that we can call Reply Inbound Flow . This would be the email flow where all the persons replying to email you've written will goes trough. Technically speaking you can just send outbound email with a custom Reply-To: header set that point-out to a different Inbound email address/domain/subdomain (es: yourn...@reply.yourdomain.tld) that goes trough a different MX/forwarder on a different ISPs/country pair. Nice idea, it would improve this protection schema and i'm going to try adding this to my own personal email! -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On 10/18/2013 07:23 PM, Alfredo Lopez wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Besides being wrong, this is truly offensive. Rise-Up is a remarkable collective with outstanding service and enormous commitment to principle. Then I'd strongly suggest rethinking the four bullet points at: https://user.riseup.net/forms/new_user/policy They are ambiguous, and they clash with the clarity of the Political Principles at: https://help.riseup.net/en/politics#principles It's not very helpful to introduce ambiguity into the process of registration, _especially_ at the point where you're asking the user to agree to something. Either put all 11 Political Principles on that page, or-- if you really do want to limit your userbase-- focus on the few points from those 11 points that don't share common ground with most widely-held ideologies. But there's just no sense in introducing four poorly-written, unrelated counterpoints that use insider language and a pseudo-intellectual tone to dissuade potential participants. If Riseup really thinks that a broad spectrum of the political left will have any idea what the phrase vanguard strategy for revolution even means, then they are vastly underestimating the diversity of the left. Best, Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On 10/15/2013 06:47 PM, elijah wrote: On 10/15/2013 03:07 PM, Yosem Companys wrote: If you have any thoughts about Riseup, whether security/privacy-related or otherwise, I'd love to hear them. I think I am the only person from the Riseup collective who is subscribed to liberationtech, so I will reply, although what follows is not an official position or response from the collective. We started when it was impossible to get even simple IMAP service that was affordable. Very early on, it became apparent that one of the primary issue facing our constituency (social justice activists) was the rapid rise in abusive surveillance by states and corporations. Riseup does the best it can with antiquated 20th century technology. Without getting into any details, we do the best that can be done, particularly when both sender and recipient are using email from one of service providers we have special encrypted transport arrangements with. Admittedly, the best we can do is not that great. And, of course, our webmail offering is laughably horrible. Riseup is not really a US email provider. The great majority of our users live outside the United States, and email is just one of many services we provide. There has been much discussion on the internets about the fact that Riseup is located in the US, and what possible country would provide the best jurisdictional arbitrage. Before the Lavabit case, the US actually looked pretty good: servers in the US are not required to retain any customer data or logs whatsoever. The prospect of some shady legal justification for requiring a provider to supply the government with their private TLS keys seems to upend everything I have read or been told about US jurisprudence. Unfortunately, no consensus has emerged regarding any place better than the US for servers, despite notable bombast the the contrary. As a co-founder of Riseup, my personal goal at the moment is to destroy Riseup as we know it, and replace it with something that is based on 21st century technology [1]. My hope is that this transition can happen smoothly, without undo hardship on the users. As evidence by the recent traffic on this list, many people are loudly proclaiming that email can never be secure and it must be abandoned. I have already written why I feel that this is both incredibly irresponsible and technically false. There is an important distinction between mass surveillance and being individually targeted by the NSA. The former is an existential threat to democracy and the latter is extremely difficult to protect against. It is, however, entirely possible to layer a very high degree of confidentially, integrity, authentication, and un-mappability onto email if we allow for opportunistic upgrades to enhanced protocols. For example, we should be able to achieve email with asynchronous forward secrecy that is also protected against meta-data analysis (even from a compromised provider), but it is going to take work (and money) to get there. Yes, in the long run, we should all just run pond [2], but in the long run we are all dead. The first thing you should do is remove the social contract from your registration page. It's creepy and (should be) completely at odds with your privacy policy. (That is, it should read even _we_ can't ban you from using our service to talk about the following things in confidence with others...) Furthermore, every single bullet point is ambiguous and would be subject to a flame war if I posted them here. That is, they are so wide open that people could reasonably take an opposing view for any or all of them, in good faith or bad. Personally, I agree with Riseup's position on those bullet points (assuming I understand them the same as you). But I disagree with requiring people to answer them if they want to try to be safer when they use the internet. Essentially, a requirement to click such a button is asking people to lie to themselves in order to use your service. Even the Pope and the military have seen fit to stop making people do that. Best, Jonathan -elijah [1] https://leap.se/email [2] https://pond.imperialviolet.org/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
As Elijah wrote, the point of riseup is to serve a specific constituency. The point is not to help the general public encrypt their email. On Oct 18, 2013 1:30 PM, Jonathan Wilkes jancs...@yahoo.com wrote: On 10/15/2013 06:47 PM, elijah wrote: On 10/15/2013 03:07 PM, Yosem Companys wrote: If you have any thoughts about Riseup, whether security/privacy-related or otherwise, I'd love to hear them. I think I am the only person from the Riseup collective who is subscribed to liberationtech, so I will reply, although what follows is not an official position or response from the collective. We started when it was impossible to get even simple IMAP service that was affordable. Very early on, it became apparent that one of the primary issue facing our constituency (social justice activists) was the rapid rise in abusive surveillance by states and corporations. Riseup does the best it can with antiquated 20th century technology. Without getting into any details, we do the best that can be done, particularly when both sender and recipient are using email from one of service providers we have special encrypted transport arrangements with. Admittedly, the best we can do is not that great. And, of course, our webmail offering is laughably horrible. Riseup is not really a US email provider. The great majority of our users live outside the United States, and email is just one of many services we provide. There has been much discussion on the internets about the fact that Riseup is located in the US, and what possible country would provide the best jurisdictional arbitrage. Before the Lavabit case, the US actually looked pretty good: servers in the US are not required to retain any customer data or logs whatsoever. The prospect of some shady legal justification for requiring a provider to supply the government with their private TLS keys seems to upend everything I have read or been told about US jurisprudence. Unfortunately, no consensus has emerged regarding any place better than the US for servers, despite notable bombast the the contrary. As a co-founder of Riseup, my personal goal at the moment is to destroy Riseup as we know it, and replace it with something that is based on 21st century technology [1]. My hope is that this transition can happen smoothly, without undo hardship on the users. As evidence by the recent traffic on this list, many people are loudly proclaiming that email can never be secure and it must be abandoned. I have already written why I feel that this is both incredibly irresponsible and technically false. There is an important distinction between mass surveillance and being individually targeted by the NSA. The former is an existential threat to democracy and the latter is extremely difficult to protect against. It is, however, entirely possible to layer a very high degree of confidentially, integrity, authentication, and un-mappability onto email if we allow for opportunistic upgrades to enhanced protocols. For example, we should be able to achieve email with asynchronous forward secrecy that is also protected against meta-data analysis (even from a compromised provider), but it is going to take work (and money) to get there. Yes, in the long run, we should all just run pond [2], but in the long run we are all dead. The first thing you should do is remove the social contract from your registration page. It's creepy and (should be) completely at odds with your privacy policy. (That is, it should read even _we_ can't ban you from using our service to talk about the following things in confidence with others...) Furthermore, every single bullet point is ambiguous and would be subject to a flame war if I posted them here. That is, they are so wide open that people could reasonably take an opposing view for any or all of them, in good faith or bad. Personally, I agree with Riseup's position on those bullet points (assuming I understand them the same as you). But I disagree with requiring people to answer them if they want to try to be safer when they use the internet. Essentially, a requirement to click such a button is asking people to lie to themselves in order to use your service. Even the Pope and the military have seen fit to stop making people do that. Best, Jonathan -elijah [1] https://leap.se/email [2] https://pond.imperialviolet.**org/ https://pond.imperialviolet.org/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/** mailman/listinfo/**liberationtechhttps://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech.
Re: [liberationtech] RiseUp
On Fri, Oct 18, 2013 at 10:53 AM, Sahar Massachi say...@gmail.com wrote: As Elijah wrote, the point of riseup is to serve a specific constituency. The point is not to help the general public encrypt their email. Exactly, and they do that quite well. Those who use RiseUp's mailing lists rave about the service. YC -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
Hello Sahar, I am interested in the political economy of digital media and am author of a forthcoming book about Occupy and social media. Alternative media and technologies are facing the challenge of acquiring resources for being run. I am wondering how at RiseUp you organized the necessary resources (working time, people, software development and upgrade, system administration etc) and what your experiences were with voluntary donations? I would be interested to hear how well the donation system works? Thanks a lot. Best wishes, Christian -- Christian Fuchs Professor of Social Media University of Westminster, Communication and Media Research Institute, Centre for Social Media Research http://fuchs.uti.at, http://www.triple-c.at http://www.westminster.ac.uk/csmr @fuchschristian c.fu...@westminster.ac.uk +44 (0) 20 7911 5000 ext 67380 On 18/10/2013 19:53, Sahar Massachi wrote: As Elijah wrote, the point of riseup is to serve a specific constituency. The point is not to help the general public encrypt their email. On Oct 18, 2013 1:30 PM, Jonathan Wilkes jancs...@yahoo.com mailto:jancs...@yahoo.com wrote: On 10/15/2013 06:47 PM, elijah wrote: On 10/15/2013 03:07 PM, Yosem Companys wrote: If you have any thoughts about Riseup, whether security/privacy-related or otherwise, I'd love to hear them. I think I am the only person from the Riseup collective who is subscribed to liberationtech, so I will reply, although what follows is not an official position or response from the collective. We started when it was impossible to get even simple IMAP service that was affordable. Very early on, it became apparent that one of the primary issue facing our constituency (social justice activists) was the rapid rise in abusive surveillance by states and corporations. Riseup does the best it can with antiquated 20th century technology. Without getting into any details, we do the best that can be done, particularly when both sender and recipient are using email from one of service providers we have special encrypted transport arrangements with. Admittedly, the best we can do is not that great. And, of course, our webmail offering is laughably horrible. Riseup is not really a US email provider. The great majority of our users live outside the United States, and email is just one of many services we provide. There has been much discussion on the internets about the fact that Riseup is located in the US, and what possible country would provide the best jurisdictional arbitrage. Before the Lavabit case, the US actually looked pretty good: servers in the US are not required to retain any customer data or logs whatsoever. The prospect of some shady legal justification for requiring a provider to supply the government with their private TLS keys seems to upend everything I have read or been told about US jurisprudence. Unfortunately, no consensus has emerged regarding any place better than the US for servers, despite notable bombast the the contrary. As a co-founder of Riseup, my personal goal at the moment is to destroy Riseup as we know it, and replace it with something that is based on 21st century technology [1]. My hope is that this transition can happen smoothly, without undo hardship on the users. As evidence by the recent traffic on this list, many people are loudly proclaiming that email can never be secure and it must be abandoned. I have already written why I feel that this is both incredibly irresponsible and technically false. There is an important distinction between mass surveillance and being individually targeted by the NSA. The former is an existential threat to democracy and the latter is extremely difficult to protect against. It is, however, entirely possible to layer a very high degree of confidentially, integrity, authentication, and un-mappability onto email if we allow for opportunistic upgrades to enhanced protocols. For example, we should be able to achieve email with asynchronous forward secrecy that is also protected against meta-data analysis (even from a compromised provider), but it is going to take work (and money) to get there. Yes, in the long run, we should all just run pond [2], but in the long run we are all dead. The first thing you should do is remove the social contract from your registration page. It's creepy and (should be) completely at odds with your privacy policy. (That is, it should read
Re: [liberationtech] RiseUp
Il 10/16/13 12:07 AM, Yosem Companys ha scritto: If you have any thoughts about Riseup, whether security/privacy-related or otherwise, I'd love to hear them. While i appreciate Riseup project goals and approach, i would not personally keep my usual email flow (inbound/outbound) going trough a communication line that's used by many other sensible users, because it's more likely to be massively monitored. Generally is not valuable to use only 1 email provider, because email is made up of many pieces: - Inbound flow - Outbound flow - Data storage That require a user to have at least 3 different providers by: - Splitting your communication flow - Stay on countries with (strong economy strong privacy law) I wrote about this concept/setup there https://mailman.stanford.edu/pipermail/liberationtech/2012-February/003144.html Anyone can implement their own mix of providers/countries/flows by using easy web-interfaces of hosting providers without having to deal with server's setup. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On Fri, Oct 18, 2013 at 8:54 PM, Yosem Companys compa...@stanford.edu wrote: On Fri, Oct 18, 2013 at 10:53 AM, Sahar Massachi say...@gmail.com wrote: As Elijah wrote, the point of riseup is to serve a specific constituency. The point is not to help the general public encrypt their email. Exactly, and they do that quite well. Those who use RiseUp's mailing lists rave about the service. First, users raving about a service typically has very little to do with quality of the service as a security product. I believe that's why you posted the original question, after all. Second, the unusual stress of ideology in such a service is very relevant to product's security in this case. When I read RiseUp's social contract page [1] some time ago, I found the mild creepiness and passive-aggressiveness quite amusing, but immediately thought the following: these guys seem pretty radicalized in whatever hippie ideology they seem to be adepts of. This probably indicates that in their closed group, they value ideological loyalty at least as highly as technical expertise. It means that one of them could be incompetent and still have administrative access to security-critical systems, or that one of them could be recruited at some point under a suitable ideological pretense — compromising the service in either case. [1] https://www.riseup.net/en/social-contract -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On 10/18/2013 01:20 PM, Fabio Pietrosanti (naif) wrote: Il 10/16/13 12:07 AM, Yosem Companys ha scritto: If you have any thoughts about Riseup, whether security/privacy-related or otherwise, I'd love to hear them. While i appreciate Riseup project goals and approach, i would not personally keep my usual email flow (inbound/outbound) going trough a communication line that's used by many other sensible users, because it's more likely to be massively monitored. Generally is not valuable to use only 1 email provider, because email is made up of many pieces: - Inbound flow - Outbound flow - Data storage That require a user to have at least 3 different providers by: - Splitting your communication flow - Stay on countries with (strong economy strong privacy law) I'm not sure how any of that would help if your upstream connection is tapped or if the attacker has a sufficiently large view of the Internet as we thing agencies like GCHQ and NSA have. Assuming they don't have the TLS keys for the particular services you're using, it would be trivial to do traffic analysis and grab the data as it's being transferred between provider machines. Keep in mind that most server to server email traffic isn't actually encrypted yet. Or am I missing something you're saying? Anthony -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On Fri, Oct 18, 2013 at 11:20:58PM +0300, Maxim Kammerer wrote: snip Second, the unusual stress of ideology in such a service is very relevant to product's security in this case. When I read RiseUp's social contract page [1] some time ago, I found the mild creepiness and passive-aggressiveness quite amusing, but immediately thought the So what exactly is creepy and passive-aggressive about stating a target audience? following: these guys seem pretty radicalized in whatever hippie ideology they seem to be adepts of. This probably indicates that in their closed group, they value ideological loyalty at least as highly as technical expertise. It means that one of them could be incompetent and still have administrative access to security-critical systems, or that one of them could be recruited at some point under a suitable ideological pretense — compromising the service in either case. Well, let's apply that rhetoric to 99% of the alternatives: commercial providers. Commercial providers seem pretty radicalized in wanting to make money. This probably indicates that in their closed group, they value money at least as highly as technical expertise. It means that one of them could be incompetent and still have administrative access to security-critical systems, or that one of them could be recruited at some point under a suitable monetary compensation — compromising the service in either case. Therefor it seems that actually RiseUp being non-profit and ideology-based are favorable aspects for the security of their services. To assume that RiseUp acting out of ideology means one of them may be incompetent or can be recruited under some ideological pretense shows that you have not understood much of the dynamics of social movements nor of RiseUps ideology.. x, l. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
Il 10/18/13 10:23 PM, Anthony Papillion ha scritto: Generally is not valuable to use only 1 email provider, because email is made up of many pieces: - Inbound flow - Outbound flow - Data storage That require a user to have at least 3 different providers by: - Splitting your communication flow - Stay on countries with (strong economy strong privacy law) I'm not sure how any of that would help if your upstream connection is tapped or if the attacker has a sufficiently large view of the Internet as we thing agencies like GCHQ and NSA have. The choice of the countries and path among the countries is relevant. The right choice of EU-countries mix would likely challenge GCHQ and NSA ability to wiretap you. They can operate massively in their own countries and in international environment (sea, space), but not everywhere. They will be able to catch the traffic that you send to recipients that on NSA/GCHQ monitored communications lines, but you can avoid them to look at the traffic you make to interact with your email systems (inbound/outbound/datastorage). Assuming they don't have the TLS keys for the particular services you're using, it would be trivial to do traffic analysis and grab the data as it's being transferred between provider machines. With Email, unless you use a closed system and/or non-standard technology, you need to interoperate with all the other email system, for that reason you'll never reach a complete protection. However, having likely placed yourself outside a massive monitoring communication path, you should consider to make access to all your communications and data more difficult. A LEA first need to find the right target where to make an inquiry with an international warrant: 1) If they have an email from you, they will likely ask to seize and/or intercept traffic and/or metadata at your OUTBOUND provider 2) If they don't have an email from you, they will likely ask to seize and/or intercept and/or metadata traffic at your INBOUND provider In all the situations the country selection with high wealth, good judicial system, good privacy will likely: - reduce actions from intelligence cooperation - make much more difficult to get an international warrant - make much more difficult to get cooperation trough corrupted employees at ISPs/Telcos In both cases (1 2) the seizure request will fail, because there's no email being stored there (but LEA doesn't know about that). in both cases (1 2) the metadata request, if available, will only reveal one-path of your the communications. By choosing INBOUND/OUTBOUND providers as companies that does not usually act as ISPs or Telco, it's likely to introduce additional complexity due to the inability of the provider to comply with a Lawful requests. For example: - Email marketing services are good OUTBOUND providers - DNS/Domain provider with MX forwarding services are good INBOUND provider Only after a successfully request of seizure at INBOUND provider, the LEA with a second request (asking why the seizure request failed), would discover the existance of the STORAGE provider. They will then need again to repeat the process until LEA is able to acquire your data at the STORAGE provider. All that kind of steps are to introduce legal, technical and operational complexity for a LEA to acquire in one-shot and with one request: - a copy of your emails (seizure requests) - traffic logs of your email (metadata inquiry) - your email traffic activity (interception request) This is not going to fix all of your problems but it's IMHO a *stronger system* than a single email provider setup, in a single country, in a GCHQ/NSA massively monitored communication line. This is obviously for an average user that does not engage in snowden-grade leaks :) -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On 10/18/2013 04:57 PM, groente wrote: On Fri, Oct 18, 2013 at 11:20:58PM +0300, Maxim Kammerer wrote: snip Second, the unusual stress of ideology in such a service is very relevant to product's security in this case. When I read RiseUp's social contract page [1] some time ago, I found the mild creepiness and passive-aggressiveness quite amusing, but immediately thought the So what exactly is creepy and passive-aggressive about stating a target audience? This is sensible: https://help.riseup.net/en/politics#purpose Whoever came up with that is a different person or group than the person or group that reduced it to four bullet points that casually throw in the phrase population control. It's confusing and counterproductive. If you're aim is to only support a specific constituency, I suggest putting your Political Principles inline and putting a checkbox to show that people registering have read it (and if you really want to limit the audience, make them agree to it as well). The kind of userbase you undoubtedly want to attract is the kind that actually takes the time to comprehend what they're reading and reflect on its meaning. Best, Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Besides being wrong, this is truly offensive. Rise-Up is a remarkable collective with outstanding service and enormous commitment to principle. More than a decade of that kind of service to the progressive movement in this country. I have no problem saying that we at MF/PL are proud to work with them and many other people in this country are as well. They stand up. They believe in data protection and they make sure data is protected. Their systems run consistently and reliably. I know this for a fact. You don't know anything about them! You have a political disagreement with left-wing politics. That's fine. But to insult, denigrate and make fun of people's beliefs -- that's not fine at all! And to speculate that, because someone believes the society is unjust and should be changed, they would allow incompetent people to work with their system!!! That would mean that no organization with a belief in anything could be trusted. Alfredo Second, the unusual stress of ideology in such a service is very relevant to product's security in this case. When I read RiseUp's social contract page [1] some time ago, I found the mild creepiness and passive-aggressiveness quite amusing, but immediately thought the following: these guys seem pretty radicalized in whatever hippie ideology they seem to be adepts of. This probably indicates that in their closed group, they value ideological loyalty at least as highly as technical expertise. It means that one of them could be incompetent and still have administrative access to security-critical systems, or that one of them could be recruited at some point under a suitable ideological pretense — compromising the service in either case. [1] https://www.riseup.net/en/social-contract - -- Alfredo López Co-Chair, Leadership Committee May First/People Link https://mayfirst.org My Column on: http://thiscantbehappening.net My Blog http://www.alfredolopez.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJSYcLYAAoJEDWfIjs2VOOXHXsP/381ciaTN4SbUYV9BModDFFY n5zpa8/0LCEO6X4w9wYNy2lSsXj/nrOJ81mmyIbRkogq635wO5Mq8RIRYncasemO A/1YjKAD6/+i6sKT2QlJ4p2fcn67lx/9YDky8dhzk+dV28c2u47HMM46q8fNIA+4 xX5zrcoEurZbntDdP74zHm6TvWYyhPxwrUGWdkQx7LZRwDlb8yHMAttkRexAVLD0 zD8up7lpjtLBLmLVJS94GpXhoA2eE4vkZfTpfOnx8Feae0TsMQ4turp9I4AUeURP uNCxBv7bV7r4Zp/vGZxlMoShoDlzGOPIrmXRiaxEm7A+hRC+7K1lWp4EzhTCj4HH 6uqCLA5H9+n5zPkQTp4twB635mNJQGEs7esgPds/ZGFmrAkgMpnLYcZNsf05oybW L390eS/a3OH8DDvRfPhVjzcXR9gOoARiy+QVYaBcgAPgrXNbcLyOGW/1bCMXm3lo pkm/MxFSDPi+kbf9ctIRc8cSkae0o4fnK3ZFR9wQanrETboyHpajh6cw1/6BhCtg jZfwzgM9v9I1Xn2z6BP/fNiwQTI8zJ4GZZhoeJiV4bxrL2Rdgi5MayELqwEeliMV VMU8TSfQfG/B2mMMhqLdMwlI2slKhlfaOVwqntp+g2jaOUZ5A5lHYD/umXpQAgCQ o+FHwn52smobUHxYRKLF =2O0A -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On 10/18/2013 04:57 PM, groente wrote: Well, let's apply that rhetoric to 99% of the alternatives: commercial providers. Commercial providers seem pretty radicalized in wanting to make money. This probably indicates that in their closed group, they value money at least as highly as technical expertise. It means that one of them could be incompetent and still have administrative access to security-critical systems, or that one of them could be recruited at some point under a suitable monetary compensation — compromising the service in either case. Therefor it seems that actually RiseUp being non-profit and ideology-based are favorable aspects for the security of their services. To assume that RiseUp acting out of ideology means one of them may be incompetent or can be recruited under some ideological pretense shows that you have not understood much of the dynamics of social movements nor of RiseUps ideology.. Very well said! And to add, when people talk about ideology in such a way, to me, it clearly shows that they don't understand the most basic facts about politics. Ideology is everywhere, it permeates all social relations, it shapes everyday life, and is a factor of power (which the Riseup collective has been carefully nurturing to enable it to struggle in its various political campaigns, which is pretty admirable in my book). Being technically competent does not preclude the same person from being politically incompetent (and vice versa), but these two aspects need not be mutually exclusive. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] RiseUp
On 10/15/2013 03:07 PM, Yosem Companys wrote: If you have any thoughts about Riseup, whether security/privacy-related or otherwise, I'd love to hear them. I think I am the only person from the Riseup collective who is subscribed to liberationtech, so I will reply, although what follows is not an official position or response from the collective. We started when it was impossible to get even simple IMAP service that was affordable. Very early on, it became apparent that one of the primary issue facing our constituency (social justice activists) was the rapid rise in abusive surveillance by states and corporations. Riseup does the best it can with antiquated 20th century technology. Without getting into any details, we do the best that can be done, particularly when both sender and recipient are using email from one of service providers we have special encrypted transport arrangements with. Admittedly, the best we can do is not that great. And, of course, our webmail offering is laughably horrible. Riseup is not really a US email provider. The great majority of our users live outside the United States, and email is just one of many services we provide. There has been much discussion on the internets about the fact that Riseup is located in the US, and what possible country would provide the best jurisdictional arbitrage. Before the Lavabit case, the US actually looked pretty good: servers in the US are not required to retain any customer data or logs whatsoever. The prospect of some shady legal justification for requiring a provider to supply the government with their private TLS keys seems to upend everything I have read or been told about US jurisprudence. Unfortunately, no consensus has emerged regarding any place better than the US for servers, despite notable bombast the the contrary. As a co-founder of Riseup, my personal goal at the moment is to destroy Riseup as we know it, and replace it with something that is based on 21st century technology [1]. My hope is that this transition can happen smoothly, without undo hardship on the users. As evidence by the recent traffic on this list, many people are loudly proclaiming that email can never be secure and it must be abandoned. I have already written why I feel that this is both incredibly irresponsible and technically false. There is an important distinction between mass surveillance and being individually targeted by the NSA. The former is an existential threat to democracy and the latter is extremely difficult to protect against. It is, however, entirely possible to layer a very high degree of confidentially, integrity, authentication, and un-mappability onto email if we allow for opportunistic upgrades to enhanced protocols. For example, we should be able to achieve email with asynchronous forward secrecy that is also protected against meta-data analysis (even from a compromised provider), but it is going to take work (and money) to get there. Yes, in the long run, we should all just run pond [2], but in the long run we are all dead. -elijah [1] https://leap.se/email [2] https://pond.imperialviolet.org/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.