Tor at the Heart: Riseup.net

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!


Riseup.net

Riseup.net was started back in 1999 after the WTO protests in Seattle. They provide online communication tools, including email, chat, file uploads and collaborative platforms for people and groups working on liberatory social change. Riseup is a project to create democratic alternatives and to practice self-determination through the control of secure means of communication.

The Riseup collective is made up of many "birds" who believe it is vital that essential communication infrastructure be controlled by movement organizations and not by corporations or governments.

They strive to keep mail as secure and private as possible. They do not log your IP address. (Most services keep detailed records of every machine that connects to their servers. Riseup only keeps information that cannot be used to uniquely identify your machine). All of your data, including your mail, is stored by riseup.net in encrypted form. They work hard to keep their servers secure and well defended against any malicious attack. They do not share any of their user data with anyone. They actively fight all attempts to subpoena or otherwise acquire any user information or logs. They do not read, search, or process any of your incoming or outgoing mail, other than by automatic means to protect you from viruses and spam or when directed to do so by you when troubleshooting.

Some of the Riseup birds work tirelessly on building secure email infrastructure, one of them runs longclaw, one of our amazing directory authorities, and all of them are dedicated to building a better Internet—and thus, incidentally, a better world. Oh, and they also run two fast Tor exit nodes, wagtail and pipit.

In addition, for years Riseup has been providing Onion Services for each of their services. Start using them today here!

We also can't thank them enough for writing this Onion Service Best Practices Guide, helping countless users and services around the Internet to be more secure, and truly making everyone not part of a DarkWeb but rather a SecureWeb (tm).

We hope we can continue this close relationship with Riseup. So many Tor users around the world depend on them for protection. Please visit our bird friends at Riseup and support their critical work!

And don't forget to donate to the Tor Project and get involved!

Thank you for reading, and soon enjoy not being in 2016 anymore! :)

But don't the quantum inequalities imply that Roger can do only limited damage by bombarding the forces of repression with "negative energy waves"?

download the last version & install it after verification with the pgp key.
updating the old is a nice feature of course but i never use it.

Plus one. Every activist should request a Riseup account and use it.

One point is that emails between two people who both have accounts may never leave the mail server. If both use GPG to encrypt/decrypt end to end using only Tails, and store only encrypted emails and only on encrypted data sticks, it will be very hard for an enemy to compromise communications. Even if a Riseup admin were acting under duress at the point of an FBI firearm.

Plus one. Every activist should request a Riseup account and use it.

Isn't one of the advantages of a federal system that all data are on different machines/jurisdictions etc.?

It's much easier to collect data in a centralized environment than an federated system (just think about signal vs xmpp --> whisher systems could be forced to collect more meta data and to hand them over but in a federated system with different jurisdictions it harder to collect all data)

Anonymous

December 16, 2016

In reply to by Anonymous (not verified)

Permalink

Ars chief tech editor Sean Gallagher made some interesting points about this second reported Yahoo megahack:

http://arstechnica.com/security/2016/12/yahoo-reveals-1-billion-more-ac…
Yahoo admits it’s been hacked again, and 1 billion accounts were exposed
That's a billion with a b—and is separate from the breach "cleared" in September.
Sean Gallagher
14 Dec 2016

> On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from over 1 billion user accounts. The breach took place in August 2013, and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor".
>
> The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer Bob Lord reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
> ...
> Yahoo also had found through outside forensics experts that someone had found a way to forge web browser "cookies" that would allow them to gain access to users' accounts without logging in. "Based on the ongoing investigation," Lord said, "we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies…We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

An even more important point: there are many things intelligence agencies can do with the passwords of one billion plus ordinary people all over the world. One of the biggest failures of the USIC is that for decades, despite repeated warnings from concerned citizens, it failed to recognize that by practically encouraging FIS to intrude the poorly protected HIEs (health information exchanges), financial and social media accounts used by millions of ordinary Americans, they were severely endangering the "national security" (whatever that means) of the nation they claim to protect. One megabreach which certainly ought to have served as a wake-up call: the loss of the USG dossiers on all its own employees, including those with security clearances. I am no fan of embattled FBI Director James Comey, but he was among the many victims of that particular hack, as he has publicly admitted. Ironic, funny in a way, but also very sad, because so many of us had tried so hard to warn the US political establishment for years of this particular danger, and our reward was to be persecuted by USIC, which failed to even attempt to correct the problems. And continues to fail even today.

"If you want it done right, do it yourself". If you want to protect yourself from attack by enemies foreign or domestic, you need to protect yourself, because your government sure won't. It's all of them (the governments) against all of us (the People).

That's why we, the People of the world, need Tor more than ever.

Anonymous

December 16, 2016

In reply to by Anonymous (not verified)

Permalink

This is the best assessment I've seen yet of the implications of the recently revealed Yahoo breach of more than one billion user accounts (not the same as a later megabreach which Yahoo revealed about four months ago):

http://arstechnica.com/security/2016/12/what-can-you-do-with-a-billion-…
What can you do with a billion Yahoo passwords? Lots of bad things
Now, Yahoo user data could be behind scores of spear-phishes or other breaches.
Sean Gallagher
15 Dec 2016

> In October of 2013, as a result of documents leaked by Edward Snowden, we learned the National Security Agency tapped straight into the connections between data centers at Yahoo and Google as part of a program called MUSCULAR. A month later, Yahoo announced it would encrypt all of its internal networks between data centers and add Secure Socket Layer encryption and secure (HTTPS) Web connections to all its services. That move, however, failed to prevent two major breaches of user data: a breach affecting user data from more than 500 million user accounts late in 2014 (revealed in September) and the breach revealed yesterday involving data from more than 1 billion accounts. The recent break took place in August of 2013—before the barn door was closed. In addition, Yahoo's chief information security officer, Bob Lord, said that the parties behind the 2014 breach had stolen some of Yahoo's code and used it to forge Web "cookies" that gave access to users' accounts without the need to use login credentials.
> ...

> It's much easier to collect data in a centralized environment than an federated system (just think about signal vs pixmap --> wisher systems could be forced to collect more meta data and to hand them over but in a federated system with different jurisdictions it harder to collect all data)

I interpret your comment to mean that Riseup (which operates servers in WA and NY states in the USA) is too easily attacked or even crippled by US LEAs such as FBI.

True enough, but right now it seems that there is no workable alternative. I'd love to see Riseup establish more partnerships with similar organizations in other countries; that would raise a new danger (that raids anywhere could compromise several international activist collectives), but it could also help ensure that any single collective is harder for one government to simply shut down without notice or explanation, as frequently happens in overtly repressive countries, and which many fear will soon become common in the USA.

As with everything else, for everyone working to promote democracy, international cooperation, political activity by citizens, free speech, and access to truthful news sources, it's all about making tough choices between various alternatives, each presenting serious hazards.

One concern which might be easily overlooked by the technically highly capable people who are likely to comment in this blog is that many US activists are not particularly computer literate, whereas most of the allegedly more technically secure software tools tend to be hard for users to set up, or depend upon everyone using specific brands of smart phone, etc. Some of these tools even require that everyone use the most expensive varieties of specific brands, which would exclude the majority of US activists, who tend not to have middle class incomes.

I may not always agree with technical or strategic choices made by Riseup, but I do believe that they take cybersecurity seriously and that they make decisions carefully, taking account of the fact that activists everywhere are continually attacked in various ways by the intelligence services operated by many countries, including many countries which regard each other as bitter enemies.

I believe that one of the most important strategic activities which the more high profile NGOs such as Tor Project can pursue is to try to encourage the growth of a privacy industry, which could potentially eventually result in much more secure and mass produced hardware being widely available to people of modest means in many countries, and software developers could build upon these strengths to provide Open Source tools which ameliorate existing compatibility issues. (One of the reasons I have such high hopes for Tor Messenger is that it is one tool which appears to overcome many compatibility issues, which I hope could lead to its widespread adoption by activists all over the world.)

> It's much easier to collect data in a centralized environment than an federated system (just think about signal vs xmpp --> whisher systems could be forced to collect more meta data and to hand them over but in a federated system with different jurisdictions it harder to collect all data)

Yes, but if two people both using Riseup are using end to end encryption, taking care to encrypt/decrypt using protected keyrings under Tails when not connected to the webmail server, it should be much harder for enemies to read our communications or to deanonymize us, or even to detect that we are communicating at all. Even if FBI were forcing a Riseup sysadmin to provide "transparent" access to the server at the point of a gun, FBI would potentially learn only that two specific user accounts (or, by combining with NSA dragnet, two specific citizens) are communicating, not what they are saying. Obviously if these are a reporter and a whistleblower, that would be very bad, but it is possible the agency would not be able to easily spy on content, at least not without a raid, which would alert the parties that their communication/anonymity has been compromised.

Currently, offense is so much easier than defense that state-sponsored attackers have all the advantages against ordinary citizens trying to make the world a better place. To some extent, damage to our cause may be inevitable. If so, we need to fall back on simply trying to migigate the damage, and perhaps to carry on, despite relentless assault from all the most repressive governments in the world.

Anonymous

December 15, 2016

Permalink

Riseup.net runs a mail service and use dns blacklists to filter incoming emails unbeknownst to their users.

Worst of all, not only riseup.net rely on third party stealth blocking, they pay a membership to spamhaus.org, the world's most corrupt pseudo anti-spam gang.

This makes riseup.net a sponsor of censorship and a contributor to a money laundering, extortion and fraudulent company.

For this reason, I will never donate to riseup.net

> Riseup.net runs a mail service and use dns blacklists to filter incoming emails unbeknownst to their users. Worst of all, not only riseup.net rely on third party stealth blocking, they pay a membership to spamhaus.org, the world's most corrupt pseudo anti-spam gang.

Do you have any evidence for that claim?

Generally speaking, I happen to share your concerns about spamhaus, but would point out that Riseup does not have the financial resources to operate an independent blacklist, yet just like any other webmail provider the collective must try to protect it users from attack by all the world's crooks (not to mention all the world's spooks), so Riseup is no doubt often caught between a rock and a hard place.

> I will never donate to riseup.net.

I think you might be throwing out the baby with the bathwater then.

All pro-democracy organizations are targeted by so many enemies, and on the Internet the attacker has all the advantages. Which engenders hard choices between less than desirable alternatives.

Clearly for the foreseeable future no one freedom loving collective will be the perfect venue for all activists, but even more clearly, dissidents around the world cannot and must not simply shut down all their activities in defense of free speech and getting the word out about governmental corruption and abuse.

Anonymous

December 16, 2016

Permalink

I don't understand why so many people end up using riseup.net. Surely they support some activism, but it's the kind of activism that borders on thug worship. Many so called collectives using and endorsing riseup.net are the kind that brutally attack a lonely person for wearing the wrong clothes. I know there is a nifty page on the principles of riseup.net that caters for almost everyone, but the standard page for years clearly stated that you have to strictly adhere to standard leftist ideology.

So what if someone perceives you don't adhere to that ideology? Or that you are some sexist pig using their shiny services? What tells me they won't spy on you or even snitch?

I just don't trust that kind of thinking and don't find it belongs to privacy. More like a niche market that definitely isn't for people not into such politics.

You do not understand : as soon as you use an o.s or an app ; you support and you adhere if not , you should go away and never enter in the net world ; it is not for you ...

Fortunately the 'philosophy-policy' is clear and you cannot make an error and even try before adopt it but the net is built on few principles like the 'community' , you cannot be a tourist or a deficiency intellectual (except trying microsoft of course) or a border line (except trying gay-apple or the geek-tweak) and certainly not a bad guy (except trying google,us email, uk serverl etc.) ... choose that it suits you & presto !

Rise.up has a very good & famous reputation so your critics & calumnies are like the cry of a predator who do not find a prey : a stupid thing coming from a stupid mind , a shame. ...

legal and illegal are just points of view and can be manipulated for one's own agenda - voting Conservative is a crime in some peoples eyes and smoking cannabis in others , but persecution is universally , in comes tor and Riseup

The highway metaphor is often surprisingly apt.

Almost everyone who drives is using the road system to go about their ordinary quiet lives. But from time to time some erratically driving person whizzes by these ordinary drivers at a high rate of speed, closely followed by the State Police.

The problem for ordinary citizens is that at the dawn of the 21st century, governments all over the world seem to be turning in unison to the autocratic ideology which says "either you support the regime in everything, or you are a criminal".

Riseup is trying to navigate between Scylla and Charybdis, to make a reasonable context-aware distinction between behavior just about anyone would regard as genuinely criminal, and political crimes, which we regard rather as an expression of democratic impulse, of the freedoms of speech and assembly. A government cannot deny these and be truthfully labeled "democratic".

I won't deny that from time to time you might encounter a nasty person using the Riseup Network. A criminal, a troll, an informant, or even a spook. Riseup operates on a shoestring budget and certainly does not have the resources to vet users, so it creates accounts on the honor system. It also does not have a billing system, but asks users to contribute every few months, again using the honor system. Which shows that the People must not be as bad as the Man thinks we are, because after ten years, Riseup is still around and doing great work. Capitalism, eat that!

Returning to the highway metaphor, I find it fascinating that at the dawn of the 20th century, numerous American police chiefs expressed in editorials published around the nation their view that automobiles should be banned. Why? Well, it seems that some early adopters were using horseless buggies to, yes, rob a bank and drive away faster than the pursuing cops (on foot or at best on horseback) could follow. Of course as everyone knows, Henry Ford was not declared a criminal, and the cops eventually started to buy their own fast automobiles and eventually realized that bank robbery was problem for law enforcement, but not a problem which they could not solve without banning automobiles. Anyone who knows this bit of American history must surely be reminded of embattled FBI Director James Comey's monomaniacal fixation on banning strong civilian encryption, despite the economic havoc that would create.

> to the autocratic ideology which says "either you support the regime in everything, or you are a criminal".
/ no, it is a middle-age mentality (so you are living in a very old period with very modern tool)
> using the honor system.
/ no, good faith is more appropriate (so sincerity has nothing to do with bad vs good).
> a nasty person using the Riseup Network.
/ no, it is for everybody. (disclaimer yet do it).
> Returning to the highway metaphor
/ failed impact (i do not understand your metaphor sorry).
> Riseup is trying to navigate between Scylla and Charybdis.
/ Charybdis and Scylla ? (i do not understand your metaphor sorry)
/ Repeating like a parrot that you read or heard is a good exercise for the memory but why do you not write it in a little bit more coherent style please ?

Anonymous

December 16, 2016

Permalink

Riseup is doing the best they can ! they really don't care if you to go some where else . like yahoo , maybe they will work out better for you , maybe use xampp let's hope those servers are configured secured for you

Ha, you remember when it turned out the silk road guy apparently did something similar? Anybody who shows up anonymously hyping some website should cause people to wonder why they're doing it.

Stay safe out there.

I almost misunderstood your post, but after reading it a second time: plus one, twice!

(Note: the first sentence is addressed to the previous commentator, the second to all Tor users.)

Anonymous

December 21, 2016

Permalink

Riseup.net is a controversial organization with some shady political views. They sound like the people who would gladly silence everyone else if they could. I guess their existence shows the versatility of Tor, though they would operate perfectly fine even without Tor as many Soros lovechildren.do. Still, it's strange that they are used to showcase a tool for freedom of expression.

Anonymous

January 18, 2017

In reply to by Anonymous (not verified)

Permalink

> Riseup.net is a controversial organization with some shady political views.

And what do you think about the party line pushed at Breitbart and 55 Savushkina Street?

> They sound like the people who would gladly silence everyone else if they could.

Is it possible that you are "projecting" your own inclinations onto others about whom you know essentially nothing?

Anonymous

January 31, 2017

Permalink

Definitely do not want to discourage anyone from using Riseup--- quite the opposite--- but the latest batch of leaked FBI documents published by The Intercept show that

1. FBI agents enjoy wide latitude for deciding (without any need to ask a judge or even an FBI lawyer for advice) whether an NGO is "legitimate",

2. FBI agents can target websites/networks/NGOs without a warrant if they suspect "terrorists" (another term they can define pretty much however they want) might be using it to "spread propaganda" or "recruit members".

See

https://theintercept.com/2017/01/31/undercover-fbi-agents-swarm-the-int…
Undercover FBI Agents Swarm the Internet Seeking Contact With Terrorists
The FBI’s online activities are so pervasive that the bureau sometimes finds itself investigating its own people.
Cora Currier
31 Jan 2017

> According to the guide, an online counterterrorism investigation can target websites or online networks that the FBI believes terrorists are using “to encourage and recruit members” or to spread propaganda. Such probes may extend to the administrators or creators of those forums, as well as people engaged in “the development of communications security practices” or “acting as ‘virtual couriers’ for terrorist organizations by passing online messages among members or leadership.”

Be careful out there! But also: be bold!