[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: AVG + TOR = BARF



Teddy Smith wrote:
> you read google's privacy policy.
> 
> personally, i think two good free places for e-mail are lavabit.com and
> riseup.net.
> 
> maybe our friend roy lanek knows of other suitable places? ;)
>
> Not to sound tinfoil, but I would trust Google _far_ more than I would
> trust riseup. With it's political agenda it's most definitely
> compromised, and if it isn't now, it will be the instant the FBI can say
> some ELF member uses it. Google may log everything, but that means that
> google's logging a _lot_, and you won't be drawn under suspicion just by
> using it. Good anonymity comes from blending into a crowd, and riseup
> won't let you do that.

(Full Disclosure: I know some people involved in Riseup Labs, etc.)

Riseup goes out of their way to not log data. They maintain patches to
free software programs[0] to ensure that their software isn't logging.
In addition, they contribute these patches back to the community.
Because they do not log, that means that short of a specific wiretap,
there isn't data for someone to fetch from their machines.

Furthermore, I think it's out of line for you to say that Riseup is
compromised. Riseup has some really talented administrators and many of
them are active in the free software community.

Obviously, no one is perfect and everyone can be compromised when
specific resources can be allocated. I still object to you promoting the
idea that they're compromised. Do you have any specific proof of this?
Or are you just speculating that they're a high value target and thus
they are clearly owned?  If that's the case, it's pretty hilarious to
imagine that Riseup is of greater value to an attacker than all of Gmail.

While it's true that you might be lost in the noise when you generally
use Gmail, your mail is scanned for content and context as part of their
normal service. When you do arouse suspicion (either internally or
externally), Google isn't going to fight a subpoena or a gag order;
Riseup most certainly will. And they're proactive (see that bit about
not logging in the first place) about their fighting.

> As always, this won't matter if you only use the account with encrypted
> content. However, a lot of activists I've talked to think that the fact
> that riseup uses SSL means "the account is encrypted", so I don't think
> that'll be popular anytime soon.

I disagree. I think that if you're sending encrypted email, you still
have a massively unknown quantity with gmail or other commercial email
providers.  Riseup also uses a lot of disk crypto and while it's
imperfect[1], it's probably going to help if they decide to take a stand
or if the search is illegal.

Regards,
Jacob

[0] http://riseuplabs.org/privacy/
[1] http://citp.princeton.edu/memory/