

Riseup, the secure e-mail and mail list provider - sinak
http://www.indiegogo.com/projects/fight-the-nsa-save-privacy-help-riseup

======
cjbprime
I don't have anything against Riseup in particular, but it's making me sad to
see that there are still smart people who are passionate about email security,
are based in the US, and are saying "you should just trust us to ignore the
secret court orders that legally require us to spy on you without telling you
about it".

The world changed already. Take the energy that you're currently putting into
making promises that you can't keep and work on something with a defensible
security model instead.

~~~
just_testing
Actually, they are doing just that.

They are one of the forces driving a project for a encrypted e-mail system:
[https://leap.se/en/home](https://leap.se/en/home)

They also issued a call to arms asking for volunteers on the project not so
long ago.

------
mylorse
Mmmm, while it sounds interesting, I am surprised at several things they have
not implemented:

1 CDN or mirror service to lessen the load. There are free ones:

[https://en.wikipedia.org/wiki/Content_delivery_network#Notab...](https://en.wikipedia.org/wiki/Content_delivery_network#Notable_content_delivery_service_providers)

2\. P2P software for distributing content across a mesh network between the
multiple servers (e.g. Gnunet & Freenet). Distributed Filesystems also work:

[https://en.wikipedia.org/wiki/Comparison_of_distributed_file...](https://en.wikipedia.org/wiki/Comparison_of_distributed_file_systems)

3\. Other communication than Jabber. Proper recommended secure channels are
SILC, OTR, and now Beta secushare:

[https://en.wikipedia.org/wiki/SILC_%28protocol%29](https://en.wikipedia.org/wiki/SILC_%28protocol%29)

[https://en.wikipedia.org/wiki/Off-the-
record_messaging](https://en.wikipedia.org/wiki/Off-the-record_messaging)

[http://secushare.org/](http://secushare.org/)

The VPN is nice although. I wish STOMP was used more instead of PYSC. I still
love IRC. It would also be awesome if they had a mini USENET, that would sell
me over to volunteer.

~~~
hank_dotnuts
From what I can tell, their problem isn't web related, a CDN or P2P software
isn't going to do much when you are delivering mail.

SILC and OTR? The former being a unmaintained nightmare, and the later
something that is client related and not something they would "implement"?

------
lazyant
Men in suits can still come up and demand complete collaboration and silence
XOR Guantanamo, so nothing specially secure here. Also not sure why they need
thousands of dollars for a high-end server + "consultant", can't they start a
proof of concept in a VM with limited (invite) accounts? sorry for the
negativity

~~~
hank_dotnuts
Because they are the largest non-profit mailing list provider outside of
universities and are struggling under the load. They dont need a proof of
concept, they've been proving their concept since 1999.

------
unicornporn
Do keep in mind (and please respect) Riseup's policy [1]. Riseup does not
respect:

* Support for capitalism, domination, or hierarchy.

From what I've seen here at Hacker News, many contributors are quite outspoken
neo liberals that are more interested in venture capital than hacking and
actively "support capitalism".

[1]
[https://user.riseup.net/forms/new_user/policy](https://user.riseup.net/forms/new_user/policy)

------
consonants
As long as they are in the US, or a nation that bends to our will, it is not a
secure provider.

It's been little over a year since the FBI seized their servers.
[https://www.eff.org/deeplinks/2012/04/may-firstriseup-
server...](https://www.eff.org/deeplinks/2012/04/may-firstriseup-server-
seizure-fbi-overreaches-yet-again)

edit: I also believe they were complicit in ousting several of their users who
allegedly used their service for illicit reasons a while back when they were
competing with hushmail, safemail, and the lot. This is from memory, and I
have no proof to back it up. Grain of salt and all that

~~~
hank_dotnuts
Last I checked, it is not a requirement that you keep logs in the US, and that
is exactly what they don't do.

Regarding that server seizure... they seized one server that was used for
virtual hosting of another group's mixmaster and when it was returned they
immediately quarantined it and did not use it.

citation needed about the outing, otherwise its just FUD

~~~
consonants
Last I checked, you can at any time be requested by the US government to do
exactly that: to keep logs or give them access.

My point is that they are on the radar, it's a matter of when not if they get
an order to start keeping logs or an agency deems it okay to seize their
hardware again.

~~~
hank_dotnuts
Name one case where the US government has required that you do exactly that.

Also, [https://www.riseup.net/en/riseup-and-government-
faq](https://www.riseup.net/en/riseup-and-government-faq)

~~~
consonants
If someone is using your service and is suspected to be committing a crime
through it, as a provider you can be subpoenaed to be reasonably complicit in
an investigation on said individual. That can involve keeping temporary logs,
contact information, message content, or being placed under total network
surveillance without notice.

Or they can just seize the servers again and you can hope _everything_ is
secured on the provider's end.

The site's premise is a honeypot for just the kind of people the government
would like to keep an eye on.

~~~
hank_dotnuts
You didn't name one case.

