[Re-published] Security is not a crime

6 Jan, 2015

On Tuesday December 16th, a large police operation took place in the Spanish State. Fourteen houses and social centers were raided in Barcelona, Sabadell, Manresa, and Madrid. Books, leaflets, computers were seized and eleven people were arrested and sent to the Audiencia Nacional, a special court handling issues of “national interest”, in Madrid. They are accused of incorporation, promotion, management, and membership of a terrorist organisation. However, lawyers for the defence denounce a lack of transparency, saying that their clients have had to make statements without knowing what they are accused of. “[They] speak of terrorism without specifying concrete criminal acts, or concrete individualized facts attributed to each of them” 2. When challenged on this, Judge Bermúdez responded: “I am not investigating specific acts, I am investigating the organization, and the threat they might pose in the future” 1; making this yet another case of apparently preventative arrests.

Four of the detainees have been released, but seven have been jailed pending trial. The reasons given by the judge for their continued detention include the posession of certain books, “the production of publications and forms of communication”, and the fact that the defendants “used emails with extreme security measures, such as the RISE UP server” 2.

We reject this Kafka-esque criminalization of social movements, and the ludicrous and extremely alarming implication that protecting one’s internet privacy is tantamount to terrorism.

Riseup, like any other email provider, has an obligation to protect the privacy of its users. Many of the “extreme security measures” used by Riseup are common best practices for online security and are also used by providers such as hotmail, GMail or Facebook. However, unlike these providers, Riseup is not willing to allow illegal backdoors or sell our users’ data to third parties.

The European Parliament’s report on the US NSA surveillance program states that “privacy is not a luxury right, but the foundation stone of a free and democratic society” 3. Recent revelations about the extent to which States violate everyone’s right to privacy show that everything that can be spied upon will be spied upon 4. Furthermore, we know that criminalizing people for using privacy tools also has a chilling effect on everybody, and human-rights defenders, journalists, and activists, in particular. Giving up your basic right to privacy for fear of being flagged as a terrorist is unacceptable.

1 https://directa.cat/actualitat/pandora-empresonada
2 https://directa.cat/jutge-gomez-bermudez-envia-preso-set-de-onze-persones-detingudes-durant-loperacio-pandora
3 http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML%2BCOMPARL%2BPE-526.085%2B02%2BDOC%2BPDF%2BV0//EN
4 http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

—————————————————
link (Riseup.net) : https://help.riseup.net/en/about-us/press/security-not-a-crime

Published
Categorized as news

Newsletter, January 2015

January 2015 Newsletter

Happy new year everyone!

following our previous newsletter, https://espiv.net/node/239, in which we also mentioned some changes in espiv’s email service, we would like to let you know about the main features of this service and the policy applied to email data preservation.

Email data preservation policy

We remind you that we need to save resources. Furthermore, it is generally considered a bad practice to keep emails forever available online. Thus, espiv has adopted a new policy regarding accounts on mail.espiv.net. If users have not logged in to their email account for more than six months, their account will be deactivated. Email accounts will be permanently deleted after 1 year of total inactivity, i.e. if they are inactive for 6 months after the last login, and the persons who check the same accounts have not requested reactivation for a further 6 months.

Features of mail.espiv.net service

To have an email account on a radical server, such as espiv, is a key step to ensuring the privacy of information we exchange through the internet and the protection of our personal data. Equally, if not more important, is how we are using these services but also the additional tools we have at our disposal to protect ourselves, such as the exchange of encrypted emails.

As espiv we take the safety and privacy of communications very seriously and encourage anonymous access to internet services via Tor.

We would like to inform you that we have implemented a number of features in this direction:

• TLS[1] with proper certificates for SMTP(s), IMAP(s), POP3(s)
encryption of all incoming/outgoing email connections of the server.
• Certificate pinning[2] for other collective email services (riseup.net, so36.net, aktivix.org, autistici.org, etc[3])
certified and secure connection of mail.espiv.net with the servers of most collectives/email providers for activists.
• Forced TLS connections for public email services (Gmail, Hotmail, Yahoo!, etc)
exclusively encrypted connections between mail.espiv.net and the servers of most commercial email providers.
• Anonymized (Client IPs are removed) logs for mail and webmail
no IP address is recorded on the server.
• HTTPS only Roundcube webmail: https://mail.espiv.net
all data traffic between the computer browser and the webmail (mail.espiv.net) is encrypted.
• Autodiscovered settings mechanism for Thunderbird[4]
automatic settings for@espiv.net accounts in Thunderbird mail client.

[1] https://en.wikipedia.org/wiki/Transport_Layer_Security
[2] https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning
[3] https://we.riseup.net/riseuphelp+en/radical-servers
[4] https://skytal.es/wiki/Mail_providers

Onion services, accessible only via Tor

We encourage users of mail.espiv.net to use our services through Tor on the following onion addresses:

• Onion Service for SMTP (25), IMAP (143), POP (110): lloiryev7cvzszsn.onion
for anonymous access from any mail client with Tor, e.g. Thunderbird+TorBirdy
• Onion Service for webmail: 5sn2hxofsu6b55lo.onion
for anonymous access to the webmail of espiv.net using Tor Browser


Policy of automatic deletion of older email messages in Trash and Spam

Many times the email storage space gets filled up not because of our Inbox, but due to the Trash and Spam folders, which we often forget to empty. So, we considered it useful to automatically delete email messages older than 21 days from Trash and Spam folders only.

Finally, in order to save resources and avoid filling up the available space of your email account, we suggest you take a series of steps: use a mail client (e.g. Thunderbird) and store email messages locally on your computer; do not attach files to email messages but, instead, upload them on a site for file sharing, such as file.espiv.net (password: espiv); the same goes for mailing lists, where every member should be encouraged to avoid exchanging messages with multiple files attached; use email archiving practices.

DOS attacks and more resources
As we have already informed you about ( https://espiv.net/node/240 ) one of our servers is under frequent denial of service attacks. As a result for short or longer periods the blogs, websites and forums we host in that machine are not accessible. If you think you can somehow contribute to espiv’s infrastructure with more resources please contact us: servers@espiv.net, gpg keyid: 0x7A376A7D823369FF

espiv’s administrative collective

Published
Categorized as , news

Temporary forum creation interruption

New SMF forums temporarily unavailable

As of October 14th, 2014, we will not create new SMF discussion forums due to technical reasons. Updates concerning the status of that service will follow.

espiv admin team

Published
Categorized as news

Concerning latest cyber attack on espiv.net

Hello to everyone,

Over the past 3 weeks one of our servers is experiencing a large-scale cyber attack (DDoS). Multiple infected hosts from different parts of the world are participating in the attack, so we can’t really know who’s behind it. No user data has been compromised; however, the attackers have caused network congestion. As a result, the blogs, websites and fora hosted on espiv are hardly accessible or entirely unavailable.

Unfortunately there are very few things we can do to mitigate this type of attack. Nevertheless, we are considering possible alternatives to improve the accessibility of our services.

espiv.net administration collective

Published
Categorized as news

Newsletter, September 2014

Hello to all of you!

We want to let you know about a series of important changes in various espiv.net services. Please read below.

Web file repository files.espiv.net to be replaced by file.espiv.net

https://files.espiv.net is a file-sharing service using outdated/deprecated software. That’s why we are about to retire it. We strongly recommend you make your own local backup of any files you had uploaded on files.espiv.net, as everything will be permanently deleted one month after you receive this newsletter — on October 15th, 2014. Then we will configure https://files.espiv.net to direct to new software.

For uploading and sharing files, you can use a new service at https://file.espiv.net currently using Coquelicot software. Coquelicot has almost the same features as the previous service, but offers significant security enhancements; for example, the server administrators will no longer be able to have access to the files that you upload. The webpage will ask for a password — this is just for anti-spam purposes. Use ‘espiv’ and proceed

Passphrases for mail.espiv.net

Until recently the passphrase of a user for mail.espiv.net was restricted to 8 characters. Thanks to a technical upgrade, we can now support a new password storage scheme without this passphrase length restriction. To migrate to this new scheme, please make sure to successfully log in your account using the webmail interface, at https://mail.espiv.net. If not, you will not be able to use your email account. This change will take effect 15 days after you receive this newsletter — on October 1st, 2014.

Email account preservation policy in mail.espiv.net

Users often create an email account, but cease to use it at some point. This is also the case with mail.espiv.net. Resources are not unlimited, and it is generally considered a bad practice to keep one’s data online forever. We therefore implement a new policy concerning the preservation of users’ accounts.

Email accounts that are not in use for more than 6 months will be disabled. This means that mailbox’s contents will still be kept on our servers, but users will not be able to receive or send new emails. If users want to re-enable their email account, they will have to contact espiv admin team by submitting a bug report, https://new.espiv.net/en/bug_report/, in no more than 6 months after the account has been flagged as disabled.

Email accounts that will be disabled 6 months after the last login, and whose users will not contact us for another 6 months, will be permanently deleted (after 1 year of inactivity). This implies that the mailbox’s contents will also be permanently deleted, and there will be no turning back.

espiv.net collective

Published
Categorized as news