Riseup: "There is no need for panic."

UPDATE: Riseup has sent out a tweet asking people not to panic, asserting that they still have full control over their servers, and saying more information will come at some future date. Their studious failure to refute having a gag order basically certifies the existence of one. But again, don’t panic. A gag order doesn’t mean their servers are compromised. We have every reason to trust that Riseup would rather pull the plug.

 

Riseup’s Canary Has Died


Popular provider of web tools for activists and anarchists and backbone of much infrastructure for internet freedom, Riseup.net has almost certainly been issued a gag order by the US government.

 

Riseup regularly updates a canary located here certifying that they haven’t received a gag order, court orders or the like. That canary has gone dead (ie has not been updated). In addition just before it expired Riseup posted a tweet with Cohen lyrics “listen to the hummingbird, whose wings you cannot see, listen to the hummingbird, don’t listen to me” and a tweet saying “we have no plans on pulling the plug” with a screencap of the segment of their FAQ that says they’d rather pull the plug on services than comply with surveillance. Of course this entry in their FAQ also says you should back up email in preparation for such a shutdown.

My read is that Riseup is complying with the gag order while fighting the surveillance demanded in court. Riseup is made up of long-time anarchist activists who would feel obliged to go to prison rather than collaborate in snitching out others. However there is a small chance someone could crack from threats of decades in prison. Additionally there’s a much more substantive chance that regardless of their optimism Riseup may soon be forced to close everything down.

 

This is an incredibly unfortunate development given the Riseup collective’s longstanding role for many activists and radicals in providing email, listservs, VPNs, and assorted tools like Etherpad. However this should serve as a stark wakeup call about the dangers of relying on centralized services. The last decade has seen a collapse of the once varied and widely networked internet into a number of centralized services (like Facebook and Gmail, but also Riseup and Signal).

If you currently use Riseup you shouldn’t panic, but there are a number of productive steps you can take:

 

1) Backup all your emails on your Riseup account locally. This may require you to (install and) connect Thunderbird to your email account rather than just using the webmail through your browser. See this array of options for backing up while using IMAP.  (Additionally it’s a good idea to enable full disk encryption or separately encrypt your email back up. The EFF has guides for full disk encryption for Windows. For Macs see this. Ubuntu, Linux Mint and several other Linux variants provide full disk encryption as an option when first installing the operating system.)

 

2) Get another email address that you can use as a fallback. Resist.ca is based out of Canada (which doesn’t do you much good but at least some). Protonmail is based in Switzerland, although be a bit suspicious about the “encryption” claims they make, there are problems. There are many other email providers. Gandi is popular. Time to shop around or — if you’re a confident sysadmin — roll up your sleeves and run your own email server.

 

3) Set up another listserv with another provider if your group currently uses riseup for listservs. Resist.ca runs listservs.

 

4) You can set up email forwarding with Riseup. Either to pipe emails to your Riseup account to your new account or pipe emails to your new account to Riseup (if say you want to start popularizing a new email address but continue primarily answering through Riseup for the time being).

 

5) Remember that while some providers may encrypt emails once received on their server, all email is basically sent unencrypted between servers. Every email is a postcard, readable by nearly everyone. Unless you and the person you’re corresponding with use PGP. So use PGP. It can be daunting to set up and to get a handle on using (the user interface is infamously non intuitive), however PGP is very useful and provides a good baseline. Email is a federated (moderately decentralized) protocol in wide use that will thus be one of the last services shut down by authoritarians (unlike encryption services that use centralized servers like Signal). The EFF has good guides to setting up PGP for Linux, Windows, and Mac. And Micah Lee has a good overview of it.

Zeige Kommentare: ausgeklappt | moderiert

Die oben genannte Vermutung ist tatsächlich nicht unplausibel:

 

My read is that Riseup is complying with the gag order while fighting the surveillance demanded in court.

 

Übersetzt:

 

Ich vermute, dass Riseup eine Gag Order (= Anordnung, nicht öffentlich darüber zu sprechen) befolgt und gleichzeitig juristisch gegen eine Überwachungs-Anfrage vorgeht.

 

Mit wilden Gerüchten schadet ihr Riseup ganz enorm.

Die Tweets lassen in Kombi mit der Verzögerung allerdings nicht auf Gutes schliessen. Andererseits beachte mensch den Auszug aus dem Canary:

Riseup intends to update this report approximately once per quarter.

Und "approximately" heisst, es kann in den nächsten Tagen noch passieren, Panik bringt nichts. Aber Gedanken dazu sollte mensch sich auf jeden Fall machen!

 

Internet dezentralisieren! Services kollektivieren!

 

PS: Ob protonmail echt empfehlenswert ist, möchte ich hier nicht entscheiden. Geneigte Leser*innen machen sich davon lieber selber ein Bild. Vorschläge dazu:

http://www.golem.de/news/security-kritik-am-e-mail-dienst-protonmail-140...

http://www.nzz.ch/digital/protonmail-thomas-roth-javascript-1.18339123

https://www.theguardian.com/technology/2015/nov/05/protonmail-service-he...

wenn es um sensible Emailkommunikation geht.

Lest Euch vor der Wahl eines Email-Anbieters* gut in das Thema ein.

Hilfestellung dazu:

https://www.kuketz-blog.de/?s=email

https://www.privacy-handbuch.de

1. There is no need for panic.
2. Our systems are fully under our control.
3. We will provide additional information at a later date.

4. Our prior tweets did not have any hidden subtext.

 

Source: https://twitter.com/riseupnet

Schön und gut, aber wer will garantieren, dass der twitter Account nicht von jemanden übernommen wurde? Deshalb wird ja auch die Kanarienvogelmeldung mit PGP-signiert ... Nur eine entsprechende PGP signierte Nachricht bietet die höchst möglichste Sicherheit, dass es auch die riseup-Vögel sind, die da zu uns sprechen. So bleibt weiterhin die Unsicherheit bestehen, was da wirklich los ist ....

Die Leute von Systemli, die mit Riseup zusammenarbeiten und die Situation sicherlich besser einschätzen können als nur auf Basis von Twitter-Nachrichten und Spekulationen schreiben:

systemli.org @systemli 17 Std.Vor 17 Stunden

systemli.org hat riseup.net retweetet

Don't believe the hype. @riseupnet made it clear, they would rather pull the plug, than submit to repressive surveillance.

entweder der Kanarienvogel ist tot, oder er ist nicht tot. Irgendetwas dazwischen gibt es nicht. Das Prinzip dieser Methode ist, das es egal ist was man darüber hinaus nach Außen kommuniziert.

As of August 16, 2016 [1], riseup has not received any National Security Letters or FISA court orders [...] Riseup intends to update this report approximately once per quarter.

In diesem Kontext würde ich "quarter" als Quartal übersetzen. Dann ist der 16. August 2016 im dritten Quartal (Juli - September) und wir befinden uns aktuell im vierten Quartal (Oktober - Dezember). Wenn sie nun "einmal pro Quartal" ("once per quarter") eine Aktualisierung ankündigen, dann haben sie also noch bis zum 31. Dezember Zeit! Wenn sie noch ein "zirka" ("approximately") hinzufügen, dann wollen sie damit wohl ausdrücken, dass wir uns auch keine Sorgen machen müssen, wenn es erst Anfang nächsten Jahres aktualisiert wird.

Auch wenn es noch so häufig wiederholt wird, an der Behauptung der Canary sei abgelaufen, ist schlicht nichts dran.

Die eff hat einen guten Überblickstext zur Praxis und der Problematik von Warrant Canaries herausgegeben: https://www.eff.org/deeplinks/2016/05/canary-watch-one-year-later

We also observed warrant canaries behaving in unexpected ways. Sometimes a canary would have subtle changes in language or grammar, which can be hard to interpret. [...]  Canaries often were not updated at all, or were updated several days or weeks late. [...] All of this uncertainty caused numerous false alarms, which made it difficult to monitor warrant canaries. Additionally, this chaos served as a further demonstration of how difficult it is to interpret what it means when a warrant canary changes.

Da Panik meistens eh die schlechteste Handlungsoption ist, wäre es doch vielleicht einfach mal gut abzuwarten, was riseup an zusätzlichen Informationen zu einem späteren Zeitpunkt bekannt gibt ("We will provide additional information at a later date."), anstatt wild rumzuspekulieren

das mal jemand übersetzen? Computersprache schon zu schwierige Sprache, in Englisch erst recht. Gibt ja auch einige Riseup Nutzer*Innen die nicht so firm sind wie manch andere hier.

Die Übersetzung ist unter dem Artikel verlinkt: https://linksunten.indymedia.org/de/node/197523