riseup.net likely compromised

riseup.net is a popular service provider among privacy and activist circles tweeted an obscure reference about birds which likely refers to their warrant canary that hasn’t been renewed since August.

I have looked through their whole twitter media history and they never posted pictures of birds with quotes difficult to interpret.

What is a canary? Quote:

A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

This was followed by a confusing update which could be read as reassurance. Also it could be interpreted as being threatened with incarceration and being forced to keep the site up and a reminder to archive stuff immediately because of impending shutdown.

Compared with past similar concerns where riseup staff were prompt and direct about renewing their canary. No clear response was given so its logical to conclude that the servers may not be under their control any longer.

Why it matters?

While the threats of using a conventional email providers are well understood and apply regardless of who operates the service, taking over a server gives surveillance the power to actively compromise users machines en mass or to target select individuals.

For alternatives, see our wiki page about e-mail.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in Uncategorized

Notable Replies

  1. Ego says:

    Good day,

    Oh dear. A few things are to be considered here.

    First of all, since the purpose of a warrant canary is primarily to inform users of a service about whether they received something like a national security letter it has been designed in a very particular way. A canary like this is supposed to be renewed regularly up to the point when it doesn't apply anymore. If they receive a NSL or something like it, it won't be renewed anymore.

    Their last canary is actually from the 16th of August, as you may see here: https://riseup.net/canary They were a few days late on their last one which is rather problematic as a system like this relies on precise updates. Being even a day of is considered problematic as the whole point of this system are permanent, predictable updates. If they aren't made in the same manner and in the same time-window, they shouldn't be considered "untainted", since such behavior would go against the concept and the way it provides security as a whole.

    That being said, even though they published a (late) canary in August, canaries aren't faultless. A NSL can ask a service-provider to keep their canary up as a facade, even though they have been compromised.

    The tweet from the 11th thus could be a hint on something like this happening. "don't listen to me" also is a very specific choice of wording/quotation. If a service like Riseup would hypothetically have been compromised, such a tweet would be the only way to alarm users without breaching laws.

    Furthermore, their behavior on this is quite strange. When they posted it on the 11th, the first reactions on 19th made a connection to their canary and a potential breach. However, it took them until the 21st to simply post a quote from their FAQ without stating any substantial information. If a false assumption in this regard has been made, a more concrete answer would be far smarter.

    Adding to that it took them another three days to react to the even bigger concerns created by that tweet. Their last tweets contained concerning wording like:

    There is no need for panic

    Saying "Don't panic!" is, at least from my point-of-view appropriate on the back of some kind of guide, to some kind of galaxy, but not for a service upon which dissidents around the planet/galaxy rely.

    In conclusion, while at this point in time, we may only speculate, there are a few things we can definitely record:

    1.) Riseup didn't use their warrant canary as it should have. Problematic
    2.) They made a quite obscure tweet which, at least from my perspective, they could hardly not notice to contain a very specific subtext, when you keep in mind who they are.
    3.) Their current communication is sub optimal at best.
    4.) If they had actually received a NSL, it could tell them to keep the warrant canary up, despite them being compromised.

    It's hard to make something out of this, without speculating.

    Have a nice day,

    Ego

    P.S.: By the way, Google is currently warning Journalist because apparently some kind of "government-based attacker" tried to access their account. Eerie. Source: http://arstechnica.com/security/2016/11/google-warns-journalists-and-professors-your-account-is-under-attack/

  2. The organizational skills at Riseup seem to be sorely lacking.

    1. If you're going to have a warrant canary, don't have some vague shit like they have stating:

    Riseup intends to update this report approximately once per quarter.

    Approximately and intends to doesn't cut it if you are supposedly the home of liberatory social change.

    What you say is:

    We will be updating this report exactly each quarter, on the 1st day of the month. If a PGP signed warrant canary does not appear according to this strict schedule, then users cannot, and should not, reasonably presume safe use of the service. Under those circumstances, alternative providers should be used until further notice from management resolving this discrepancy.

    2. Considering a signed PGP warrant canary takes minimal effort, I don't see any reason why they couldn't do this monthly. This is particularly true since they were previously targeted and had hardware seized in 2012.

    Why give the feds a 3 month window to screw you and keep users in the dark? It seems illogical.

    3. If Riseup are subsequently found NOT to have been subject to some kind of government harassment (unlikely), then they need to work on their communication skills.

    That is, if they are not being gagged/compelled currently, they could have simply issued a clear statement on their website and twitter paraphrasing their warrant canary. For example, something like:

    As of November 28, 2016, Riseup has not:

    • received any National Security Letters;
    • FISA court orders;
    • been subject to a gag order or other similar legal instrument;
    • had requests for hardware/software backdoors;
    • disclosed any user communications; or
    • had hardware infrastructure seized or analyzed.
  3. @riseupnet and ffs, this has nothing to do with warrants or canaries. that's why we end up not tweeting.

    Maybe everyone's better off with them not not tweeting if they keep spouting fucking obscure bird references every couple of days when its clearly a sensitive topic.

  4. Ego says:

    Good day,

    I was thinking precisely the same thing when I read their last post...

    Maybe, just maybe birds aren't the best conversation piece, keeping in mind what meaning they are supposed to imply. I mean, to a degree I could understand why they are fixated on these animals. Birds have been a representation of freedom for centuries and they've prominently been a part of Riseups "brand identity" since the beginning of 2014 when birds were first incorporated into Riseup's webpage and some of their logo's. Making a "fun" reference thus isn't incredibly unreasonable, IF their hasn't just been confusion about their warrant canary, something integral to their operation commonly associated with birds.

    The fact that someone at Riseup thought it was a good idea to start posting about listening "to the hummingbird" AFTER their warrant canary RAN OUT, is in the best case scenario one of the worst cases of timing I've ever seen. The fact that they still haven't diffused the situation by talking openly about their "laid-back" approach to updating the canary and that they didn't tweet about birds beforehand, when now it seems to be their only topic doesn't even need to be mentioned at that case.

    Adding to that, their (preemptive) response was neither polite, nor appropriate, as THEY THEMSELFES are responsilbe for the criticism leveled at them. Furthermore, their next tweet was even more worrisome to me:

    since 1999 we have been doing a lot of work to keep everyone data safe according to the needs of our movements.

    Well, yes, you certainly seem to have. Though, just being in "the business" for a long time doesn't make you immune from criticism, mistakes, or NSL's. And, not doing anything to improve the situation (like setting fixed times for canaries) certainly doesn't make you look like people that have been doing this "since 1999".

    Adding to all of that and this is probably the most worrisome thing here, their canary hasn't been updated for 153 days/**5 months** OR IN OTHER WORDS ALMOST HALF A BLOODY YEAR!!!!!

    As someone who has a similar AGE TO THEIR SERVICE, even I know that that's quite a problem.

    I was actually unaware of the fact that they still didn't fix their canary, as I only figured out now. There is no (positive) reason for it to be this outdated. In that intercept article they tweeted a few MONTHS AGO, they said that the only issue with updating the canary was thanksgiving and some bad planning. I have a hard time believing that in retrospective.

    Have a nice day,

    Ego

  5. IIRC they made some twisted statement about the NSL question where they said there was something but not an NSL...

    I think maybe its their way of doing publicity (the all publicity is good strategy) but they are dealing with a privacy conscious user base who thinks critically about these things and not mindless consumer idiots. No one is going to pour in donations to a service suspected of hiding serious problems. Thats about the dumbest thing they could have done. I am looking forward to some alternative decentralized mail solution that works with the internet.

Continue the discussion forums.whonix.org

32 more replies

Participants