riseup.net likely compromised

Originally published at: News - Whonix Forum

riseup.net is a popular service provider among privacy and activist circles tweeted an obscure reference about birds which likely refers to their warrant canary that hasn’t been renewed since August.

https://twitter.com/riseupnet/status/797142735283257345

I have looked through their whole twitter media history and they never posted pictures of birds with quotes difficult to interpret.

What is a canary? Quote:

A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

This was followed by a confusing update which could be read as reassurance. Also it could be interpreted as being threatened with incarceration and being forced to keep the site up and a reminder to archive stuff immediately because of impending shutdown.

https://twitter.com/riseupnet/status/800815181190217729

Compared with past similar concerns where riseup staff were prompt and direct about renewing their canary. No clear response was given so its logical to conclude that the servers may not be under their control any longer.

https://twitter.com/flanvel/status/765349637377126400

https://twitter.com/Whonix/status/801894194075803650

Why it matters?

While the threats of using a conventional email providers are well understood and apply regardless of who operates the service, taking over a server gives surveillance the power to actively compromise users machines en mass or to target select individuals.

For alternatives, see our wiki page about e-mail.

Good day,

Oh dear. A few things are to be considered here.

First of all, since the purpose of a warrant canary is primarily to inform users of a service about whether they received something like a national security letter it has been designed in a very particular way. A canary like this is supposed to be renewed regularly up to the point when it doesn’t apply anymore. If they receive a NSL or something like it, it won’t be renewed anymore.

Their last canary is actually from the 16th of August, as you may see here: Canary - riseup.net They were a few days late on their last one which is rather problematic as a system like this relies on precise updates. Being even a day of is considered problematic as the whole point of this system are permanent, predictable updates. If they aren’t made in the same manner and in the same time-window, they shouldn’t be considered “untainted”, since such behavior would go against the concept and the way it provides security as a whole.

That being said, even though they published a (late) canary in August, canaries aren’t faultless. A NSL can ask a service-provider to keep their canary up as a facade, even though they have been compromised.

The tweet from the 11th thus could be a hint on something like this happening. “don’t listen to me” also is a very specific choice of wording/quotation. If a service like Riseup would hypothetically have been compromised, such a tweet would be the only way to alarm users without breaching laws.

Furthermore, their behavior on this is quite strange. When they posted it on the 11th, the first reactions on 19th made a connection to their canary and a potential breach. However, it took them until the 21st to simply post a quote from their FAQ without stating any substantial information. If a false assumption in this regard has been made, a more concrete answer would be far smarter.

Adding to that it took them another three days to react to the even bigger concerns created by that tweet. Their last tweets contained concerning wording like:

There is no need for panic

Saying “Don’t panic!” is, at least from my point-of-view appropriate on the back of some kind of guide, to some kind of galaxy, but not for a service upon which dissidents around the planet/galaxy rely.

In conclusion, while at this point in time, we may only speculate, there are a few things we can definitely record:

1.) Riseup didn’t use their warrant canary as it should have. Problematic
2.) They made a quite obscure tweet which, at least from my perspective, they could hardly not notice to contain a very specific subtext, when you keep in mind who they are.
3.) Their current communication is sub optimal at best.
4.) If they had actually received a NSL, it could tell them to keep the warrant canary up, despite them being compromised.

It’s hard to make something out of this, without speculating.

Have a nice day,

Ego

P.S.: By the way, Google is currently warning Journalist because apparently some kind of “government-based attacker” tried to access their account. Eerie. Source: Google warns journalists and professors: Your account is under attack | Ars Technica

I wouldn’t trust those tweets, if they’re under a gag order they cant say it directly.
OWS latest warrant did show how long it could take to know what happend.

Btw does Whonix have a Canary ?
I couldn’t find one …

2 posts were merged into an existing topic: Whonix Warrant Canary

Moved here:
https://forums.whonix.org/t/whonix-warrant-canary

The organizational skills at Riseup seem to be sorely lacking.

1. If you’re going to have a warrant canary, don’t have some vague shit like they have stating:

Riseup intends to update this report approximately once per quarter.

Approximately and intends to doesn’t cut it if you are supposedly the home of liberatory social change.

What you say is:

We will be updating this report exactly each quarter, on the 1st day of the month. If a PGP signed warrant canary does not appear according to this strict schedule, then users cannot, and should not, reasonably presume safe use of the service. Under those circumstances, alternative providers should be used until further notice from management resolving this discrepancy.

2. Considering a signed PGP warrant canary takes minimal effort, I don’t see any reason why they couldn’t do this monthly. This is particularly true since they were previously targeted and had hardware seized in 2012.

Why give the feds a 3 month window to screw you and keep users in the dark? It seems illogical.

3. If Riseup are subsequently found NOT to have been subject to some kind of government harassment (unlikely), then they need to work on their communication skills.

That is, if they are not being gagged/compelled currently, they could have simply issued a clear statement on their website and twitter paraphrasing their warrant canary. For example, something like:

As of November 28, 2016, Riseup has not:

• received any National Security Letters;
• FISA court orders;
• been subject to a gag order or other similar legal instrument;
• had requests for hardware/software backdoors;
• disclosed any user communications; or
• had hardware infrastructure seized or analyzed.

That could be reasonably demanded if riseup was a paid, professional service, run like a company. But it is more like a free service, done in spare time, on best effort basis. The input of time / output of salary and therefore other life responsibilities leads to not prioritizing it like that.

Maybe they have some legal theory behind this under which they are operating. Terms like intend and approximately simplify this.

Running something like riseup needs courage. Trying the canary stuff and risking jail time needs even more courage.

If it needs so much courage to run a Service like this and they are not ready for the heat , they shouldn’t do it.
No excuse for bad OPSEC and for endangering Users who don’t know better.

“We work to create revolution and a free society in the here and now by building alternative communication infrastructure designed to oppose and replace the dominant system.”

“We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression.”
Now i know why they didn’t accept my Account…, funny People at riseup.

Sweet Advertisment though…

There isn’t any apparent limit on the frequency of warrant canaries or transparency reports.

The Canary Watch project has seen canary publications varying from daily to once yearly. Their anatomy of a warrant canary states:

https://www.canarywatch.org/about.html#anatomy

How often is it published?

Providers have to decide at what rate to publish warrant canaries. For example, some companies publish annual transparency reports with canaries. Some publish canaries bi-annually. Some providers simply leave a warrant-canary statement up until, ostensibly, it is no longer valid.

So, in Riseup’s case, they may be better off choosing a ‘permanent canary’ that is just taken down the exact day they receive an order. Seems to be a smarter strategy.

Another example in terms of the regularity of publications is the encrypted email provider Protonmail. They update their canary exactly once every 3 months (on the 1st of each month) and have a far better statement regarding timeliness:

This warrant canary is updated at minimum once every 3 months, or whenever a new legally binding request is received, or about to be received if we have advanced warning.

Admittedly they are in a much more liberal location (Switzerland).

Unless there is any particular reason Riseup has to be incorporated in Stasiland (the US), they would be better off migrating their architecture to a more friendly jurisdiction over time. The US is a lost cause, even if at least one federal court has ruled that NSL gags are unconstitutional.

There also does not appear to be any limit on stating what you have not received. Only the obverse appears to be true in the US, for example:

An ISP may be gagged from stating it has received:

• any one of several types of national security letters;
• orders from the Foreign Intelligence Surveillance Court (like the Section 215 orders used for the bulk call records program or the Section 702 orders used for the NSA’s PRISM program); or
• an ordinary subpoena or search warrant accompanied by a gag order pursuant to the Electronic Communication Privacy Act.

The government has issued hundreds of thousands of these gagged legal requests, but very few have ever seen the light of day.

So, based upon Riseup’s Seattle location, if they have not received an order currently, I’m not seeing any restrictions upon them in stating it plainly. This relates to the legal issue of ‘compelled speech’ in US jurisdictions. Canarywatch supports this position:

There is no law that prohibits a service provider from publishing an honest and complete transparency report that includes all the legal processes that it has not received. The gag order only attaches after the ISP has been served with the gagged legal process. Nor is publishing a warrant canary an obstruction of justice, since this intent is not to harm the judicial process, but rather to engage in a public conversation about the extent of government investigatory powers.
…
While the government may be able to compel silence about legal processes through a gag order, it’s much more difficult to argue that it can compel an ISP to lie by falsely stating that it has not received legal process when in fact it has.

Good day,

Can I be honest? What’s written in there scares me somewhat even more…

Quote:

And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly.

However, the spokesperson did provide some context: “There are a lot of conspiracy theories going around because people think that this is something bigger than it actually is,” he said. “The reality is that these theories are way out of proportion to the truth. It isn’t something that people should freak out about, or be scared, or burn their computer, and run for the hills.”

After all of this ambiguity, not clearly commenting on whether they’ve received requests for data is anything but reassuring in my eyes. Especially considering they do state that “riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.”, meaning that since this is somehow different from the answer to the question whether they received ANY request for user data, they likely did.

Otherwise they wouldn’t seperate between requests for user data and “legal” (as in law-based) requests. Now, this could just be because some “lost” police officer simply did a request he had no legal ground to do in the first place, though if that was the case, why not say it?

Why is commenting on NSL’s, etc. possible but not on “general requests”, when something like a NSL would have much more legal ground to “stop them from talking”, compared to other forms of request.

That really is something which does bug me a lot. Oh and by the way, the canary still hasn’t been updated: Canary - riseup.net

Regarding that the article mentions:

The riseup collective is currently having internal discussions about when it will be able to update its warrant canary.

Now that obviously would be a good thing. Having a fixed data like @torjunkie already mentioned is definitely a good thing. But why wouldn’t they at least update the current one?

Have a nice day,

Ego

I don’t know. Maybe this is as far as Micah Lee can say “riseup has a serious problem” without getting into legal trouble? Because that article overall does not make sense to me. Or it’s a stunt by riseup in an attempt to rise more donations so they do not have to rather shutdown or limit their services?

Good day,

At this point, I feel like “anything” could come out of this, though I feel like there are far better ways for getting publicity and thus donations than scattering mistrust in the own platform. It seems that, until further information becomes available, that there might be something quite problematic going on at Riseup.

Have a nice day,

Ego

Everybody is talking about Emails and it thrills me that so far nobody has thought about what could be a juicier target than reading some leftist extremist anarcho mails

Did nobody consider that Tails might be the target because after all their Code Repository is hosted on their servers and a new version has just been released?!

https://labs.riseup.net/code/projects/tails

And for what it is worth Riseup has known about NSLs for quite some time yet never thought for a moment about moving their servers to a Location in which similiar NSLs and gagorders aren’t as easy to deliver as in the land of the free

Good day,

The thing is that Tails’s git repository is hosted separately (https://git-tails.immerda.ch/tails), though even if it wasn’t, massive changes to the code would be noticed quite rapidly.

Have a nice day,

Ego

It depends on Tails’ use of signed git commits, signed git tags, git commit/tag verification, their build security (who creates official builds and if that person always does the gpg verification). I would guess that Tails developers do this, that they would not be compromised if their remote git servers was compromised, but if you are interested in this, scrutiny is always good.

As Ego pointed out…

We forgot the consequences for whonix.org. Still need to change something here:

Email Overview

Good day,

Made additions regarding the “cannary situation”.

Have a nice day,

Ego