> (Full Disclosure: I know some people involved in Riseup Labs, etc.) > > Riseup goes out of their way to not log data. They maintain patches to > free software programs[0] to ensure that their software isn't logging. > In addition, they contribute these patches back to the community. > Because they do not log, that means that short of a specific wiretap, > there isn't data for someone to fetch from their machines. > > Furthermore, I think it's out of line for you to say that Riseup is > compromised. Riseup has some really talented administrators and many of > them are active in the free software community. > > Obviously, no one is perfect and everyone can be compromised when > specific resources can be allocated. I still object to you promoting the > idea that they're compromised. Do you have any specific proof of this? > Or are you just speculating that they're a high value target and thus > they are clearly owned? If that's the case, it's pretty hilarious to > imagine that Riseup is of greater value to an attacker than all of Gmail. > > While it's true that you might be lost in the noise when you generally > use Gmail, your mail is scanned for content and context as part of their > normal service. When you do arouse suspicion (either internally or > externally), Google isn't going to fight a subpoena or a gag order; > Riseup most certainly will. And they're proactive (see that bit about > not logging in the first place) about their fighting. > > I disagree. I think that if you're sending encrypted email, you still > have a massively unknown quantity with gmail or other commercial email > providers. Riseup also uses a lot of disk crypto and while it's > imperfect[1], it's probably going to help if they decide to take a stand > or if the search is illegal. > > Regards, > Jacob > > [0] http://riseuplabs.org/privacy/ > [1] http://citp.princeton.edu/memory/ If riseup was owned, it wouldn't be by a hacker. It would be owned at a level that no lack of logging, disk crypto, or participation in the community would help. It would be owned by a tap on the wire, a gag order, and the "keys to the castle" for everything else. I don't wish to impugn the riseup team in any way. I think they're doing a great job, and doing something that's very needed for the activist community. I'm sure they've got enough security on it to bar out just about anything. But I'm also sure they have lives that they care about, and I'm also sure that if it came down to them handing things over to the FBI or being caught up in the green scare, they'd do the self-preserving thing. It's what anyone would do, and it's what I expect of them. I'm sure they'd try to fight it however they could, but again, they aren't exactly blending into the crowd. Their favicon is a red/black star, they link to other radical sites, they provide email list to groups that are probably on terror watchlists. They're most certainly in a spotlight, if they aren't already wiretapped or subpoenaed. Sure, they may try to fight. But will they really go to prison so that my email can be unread? They won't be going up for privacy, they'll be seen by the masses of America as supporters of "eco-terror" or whatever demon is the label of the day. And if they fight, they won't be fighting for the 1st amendment, they'll be fighting against the PATRIOT act. Not to mention that they've got limited resources, and can only keep up for so long. Again, don't get me wrong. The riseup team are all (probably, as I don't know them) great people, and they're certainly providing a needed service. But I don't expect them to take a bullet for me. I would think that a gmail account, sending PGP-encrypted messages, would be sufficiently under the radar. If sending PGP alone flags you, then it could easily be steg'd into a picture. But on Riseup, you're well on the radar to begin with, and that's troubling to me. Unless we get into "can <your choice of MJ12, Illuminati, NSA or Grey Aliens> crack PGP", that should keep you safe from context scanning (and when I mentioned sending only encrypted messages, I was speaking of PGP, to be clear). In short, I think Riseup is great, but I would love it a lot more if the server had protection from the legal kind of compromising, possibly through Tor as a hidden service. I wouldn't advocate using Riseup because they profess to having good admin practices; admins can be changed quite transparently for users, and you don't know if the Riseup team is really running the show. Gmail can't context-scan encrypted or steg'd email. >use off the record [0] or something equivalent for private >conversations! you get clear indication of state (private/not >private) and it was designed for end to end privacy. > >(just my personal opinion :) I advocate OTR every chance I get. It's really great: it's deniable, it's authenticating, and it's available on all major (free or not) OS's. It's fantastic, IMHO.
Attachment:
signature.asc
Description: This is a digitally signed message part