riseup.net likely compromised

riseup.net is a popular service provider among privacy and activist circles tweeted an obscure reference about birds which likely refers to their warrant canary that hasn’t been renewed since August.

I have looked through their whole twitter media history and they never posted pictures of birds with quotes difficult to interpret.

What is a canary? Quote:

A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

This was followed by a confusing update which could be read as reassurance. Also it could be interpreted as being threatened with incarceration and being forced to keep the site up and a reminder to archive stuff immediately because of impending shutdown.

Compared with past similar concerns where riseup staff were prompt and direct about renewing their canary. No clear response was given so its logical to conclude that the servers may not be under their control any longer.

Why it matters?

While the threats of using a conventional email providers are well understood and apply regardless of who operates the service, taking over a server gives surveillance the power to actively compromise users machines en mass or to target select individuals.

For alternatives, see our wiki page about e-mail.

Patrick Schleizer on sabbloggerPatrick Schleizer on sabemailPatrick Schleizer on sabfacebookPatrick Schleizer on sabgithubPatrick Schleizer on sabtwitter
Patrick Schleizer
Developer and maintainer at Whonix
Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in Uncategorized

Notable Replies

  1. Ego says:

    Good day,

    Oh dear. A few things are to be considered here.

    First of all, since the purpose of a warrant canary is primarily to inform users of a service about whether they received something like a national security letter it has been designed in a very particular way. A canary like this is supposed to be renewed regularly up to the point when it doesn't apply anymore. If they receive a NSL or something like it, it won't be renewed anymore.

    Their last canary is actually from the 16th of August, as you may see here: https://riseup.net/canary They were a few days late on their last one which is rather problematic as a system like this relies on precise updates. Being even a day of is considered problematic as the whole point of this system are permanent, predictable updates. If they aren't made in the same manner and in the same time-window, they shouldn't be considered "untainted", since such behavior would go against the concept and the way it provides security as a whole.

    That being said, even though they published a (late) canary in August, canaries aren't faultless. A NSL can ask a service-provider to keep their canary up as a facade, even though they have been compromised.

    The tweet from the 11th thus could be a hint on something like this happening. "don't listen to me" also is a very specific choice of wording/quotation. If a service like Riseup would hypothetically have been compromised, such a tweet would be the only way to alarm users without breaching laws.

    Furthermore, their behavior on this is quite strange. When they posted it on the 11th, the first reactions on 19th made a connection to their canary and a potential breach. However, it took them until the 21st to simply post a quote from their FAQ without stating any substantial information. If a false assumption in this regard has been made, a more concrete answer would be far smarter.

    Adding to that it took them another three days to react to the even bigger concerns created by that tweet. Their last tweets contained concerning wording like:

    There is no need for panic

    Saying "Don't panic!" is, at least from my point-of-view appropriate on the back of some kind of guide, to some kind of galaxy, but not for a service upon which dissidents around the planet/galaxy rely.

    In conclusion, while at this point in time, we may only speculate, there are a few things we can definitely record:

    1.) Riseup didn't use their warrant canary as it should have. Problematic
    2.) They made a quite obscure tweet which, at least from my perspective, they could hardly not notice to contain a very specific subtext, when you keep in mind who they are.
    3.) Their current communication is sub optimal at best.
    4.) If they had actually received a NSL, it could tell them to keep the warrant canary up, despite them being compromised.

    It's hard to make something out of this, without speculating.

    Have a nice day,

    Ego

    P.S.: By the way, Google is currently warning Journalist because apparently some kind of "government-based attacker" tried to access their account. Eerie. Source: http://arstechnica.com/security/2016/11/google-warns-journalists-and-professors-your-account-is-under-attack/

  2. torjunkie says:

    The organizational skills at Riseup seem to be sorely lacking.

    1. If you're going to have a warrant canary, don't have some vague shit like they have stating:

    Riseup intends to update this report approximately once per quarter.

    Approximately and intends to doesn't cut it if you are supposedly the home of liberatory social change.

    What you say is:

    We will be updating this report exactly each quarter, on the 1st day of the month. If a PGP signed warrant canary does not appear according to this strict schedule, then users cannot, and should not, reasonably presume safe use of the service. Under those circumstances, alternative providers should be used until further notice from management resolving this discrepancy.

    2. Considering a signed PGP warrant canary takes minimal effort, I don't see any reason why they couldn't do this monthly. This is particularly true since they were previously targeted and had hardware seized in 2012.

    Why give the feds a 3 month window to screw you and keep users in the dark? It seems illogical.

    3. If Riseup are subsequently found NOT to have been subject to some kind of government harassment (unlikely), then they need to work on their communication skills.

    That is, if they are not being gagged/compelled currently, they could have simply issued a clear statement on their website and twitter paraphrasing their warrant canary. For example, something like:

    As of November 28, 2016, Riseup has not:

    • received any National Security Letters;
    • FISA court orders;
    • been subject to a gag order or other similar legal instrument;
    • had requests for hardware/software backdoors;
    • disclosed any user communications; or
    • had hardware infrastructure seized or analyzed.
  3. Patrick says:
    torjunkie:
    1. If you're going to have a warrant canary, don't have some vague shit like they have stating:

    Riseup intends to update this report approximately once per quarter.

    Approximately and intends to doesn't cut it if you are supposedly the home of liberatory social change.

    What you say is:

    We will be updating this report exactly each quarter, on the 1st day of the month. If a PGP signed warrant canary does not appear according to this strict schedule, then users cannot, and should not, reasonably presume safe use of the service. Under those circumstances, alternative providers should be used until further notice from management resolving this discrepancy.

    That could be reasonably demanded if riseup was a paid, professional service, run like a company. But it is more like a free service, done in spare time, on best effort basis. The input of time / output of salary and therefore other life responsibilities leads to not prioritizing it like that.

    torjunkie:
    1. Considering a signed PGP warrant canary takes minimal effort, I don't see any reason why they couldn't do this monthly. This is particularly true since they were previously targeted and had hardware seized in 2012.

    Why give the feds a 3 month window to screw you and keep users in the dark? It seems illogical.

    Maybe they have some legal theory behind this under which they are operating. Terms like intend and approximately simplify this.

    Running something like riseup needs courage. Trying the canary stuff and risking jail time needs even more courage.

  4. Ego says:

    Good day,

    Can I be honest? What's written in there scares me somewhat even more...

    Quote:

    And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly.

    However, the spokesperson did provide some context: “There are a lot of conspiracy theories going around because people think that this is something bigger than it actually is,” he said. “The reality is that these theories are way out of proportion to the truth. It isn’t something that people should freak out about, or be scared, or burn their computer, and run for the hills.”

    After all of this ambiguity, not clearly commenting on whether they've received requests for data is anything but reassuring in my eyes. Especially considering they do state that "riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.", meaning that since this is somehow different from the answer to the question whether they received ANY request for user data, they likely did.

    Otherwise they wouldn't seperate between requests for user data and "legal" (as in law-based) requests. Now, this could just be because some "lost" police officer simply did a request he had no legal ground to do in the first place, though if that was the case, why not say it?

    Why is commenting on NSL's, etc. possible but not on "general requests", when something like a NSL would have much more legal ground to "stop them from talking", compared to other forms of request.

    That really is something which does bug me a lot. Oh and by the way, the canary still hasn't been updated: https://riseup.net/canary

    Regarding that the article mentions:

    The riseup collective is currently having internal discussions about when it will be able to update its warrant canary.

    Now that obviously would be a good thing. Having a fixed data like @torjunkie already mentioned is definitely a good thing. But why wouldn't they at least update the current one?

    Have a nice day,

    Ego

  5. Ego says:

    Good day,

    I was thinking precisely the same thing when I read their last post...

    Maybe, just maybe birds aren't the best conversation piece, keeping in mind what meaning they are supposed to imply. I mean, to a degree I could understand why they are fixated on these animals. Birds have been a representation of freedom for centuries and they've prominently been a part of Riseups "brand identity" since the beginning of 2014 when birds were first incorporated into Riseup's webpage and some of their logo's. Making a "fun" reference thus isn't incredibly unreasonable, IF their hasn't just been confusion about their warrant canary, something integral to their operation commonly associated with birds.

    The fact that someone at Riseup thought it was a good idea to start posting about listening "to the hummingbird" AFTER their warrant canary RAN OUT, is in the best case scenario one of the worst cases of timing I've ever seen. The fact that they still haven't diffused the situation by talking openly about their "laid-back" approach to updating the canary and that they didn't tweet about birds beforehand, when now it seems to be their only topic doesn't even need to be mentioned at that case.

    Adding to that, their (preemptive) response was neither polite, nor appropriate, as THEY THEMSELFES are responsilbe for the criticism leveled at them. Furthermore, their next tweet was even more worrisome to me:

    since 1999 we have been doing a lot of work to keep everyone data safe according to the needs of our movements.

    Well, yes, you certainly seem to have. Though, just being in "the business" for a long time doesn't make you immune from criticism, mistakes, or NSL's. And, not doing anything to improve the situation (like setting fixed times for canaries) certainly doesn't make you look like people that have been doing this "since 1999".

    Adding to all of that and this is probably the most worrisome thing here, their canary hasn't been updated for 153 days/**5 months** OR IN OTHER WORDS ALMOST HALF A BLOODY YEAR!!!!!

    As someone who has a similar AGE TO THEIR SERVICE, even I know that that's quite a problem.

    I was actually unaware of the fact that they still didn't fix their canary, as I only figured out now. There is no (positive) reason for it to be this outdated. In that intercept article they tweeted a few MONTHS AGO, they said that the only issue with updating the canary was thanksgiving and some bad planning. I have a hard time believing that in retrospective.

    Have a nice day,

    Ego

Continue the discussion forums.whonix.org

17 more replies

Participants