/tech/ - Technology

>>27557
isn't sending invites to people you don't know kind of against the point of invites?
besides, it is a literal cia honey pot. just use a regular email with pgp encryption

>>27558
>it is a literal cia honey pot
Is it really?

>>27731
Absolutely not, he's talking out of his ass.
You don't even have to trust them tbh. Just use GPG and connect to their service from their onion.
Don't listen to everything you hear on here, people will spread FUD about literally everything.

Anyway,
>>27557
Just request an account directly to them. Say you are a small local group or something. Worked for me at least - It was almost a decade ago tho.
Took like 2 or 3 days to get my account.

>>27749
As far as I can tell, you can't just ask for an account anymore. Invite codes seemed to be required.

>>27731
use your brain for a second. you automatically decided to trust these people only because they have lefty symbols on their site. at most you are putting yourself on a list for an email you can't trust. the only difference is going to be that might get lazy, "trust them" and forget to use pgp encryption. you don't know these people and yet you uncritically decided to trust them - that's by design, that's what defines a successful honey pot

>>27751
Do you really think big intel agencies don't have the means to collect email metadata and unencrypted email being transferred from EVERY email providers?
You told OP yourself: "just use a regular email with pgp encryption"
So what if he wants to have a riseup address for symbolic purposes? Doesn't change anything as long as he use GPG.
They are most likely not a honeypot because it doesn't matter, it's just a question of you being lazy and forgetting to use encryption, which you can also be on a "regular email" provider.
Beside, at least you can register and send mails from Tor using their onion with Riseup, not with most regular providers. Doesn't make sense to call them a honeypot when you admit using the worst alternative possible.

>>27755
>if they have the capacity to track web traffic, why would they use honey pots
because it is more effective and practical

with a regular email you will always keep in mind that you have to use encryption for anything serious. but with things like riseup you might make the mistake of trusting them - that's the point of the con

>but what if you keep perfect opsec
counterfactual, and using a honeypot increases the impact of any eventual mistake, which will happen more often because you feel comfortable with your good friends at riseup.net (who you have never met and have no relation with)

>>27756
>because it is more effective and practical
no, doesn't change anything, really. (cf XKeyscore and surely things we don't know yet about)

>with things like riseup you might make the mistake of trusting them
no. only low hanging fruits that deserve to get fucked. They will fuck up eventually anyway if they are dumb enough to put all their trust in a single entity, no matter who's behind said entity.
That's why riseup never said anything about being super secure military grade encrypted something-something like Protonmail or others do. That's why they have onions. That's why they have a canary. You should never trust anyone, that's it.
If they are a honeypot like you thing they are, what was the point of them not updating their canary a few years ago?

>who you have never met and have no relation with
I know someone 'working' 'at' riseup. Yet you assume everyone else is in the dark because you are and you like to pretend you know everything.
Don't change the fact that you should not trust them - same thing for me even if I know someone related to their services - that's basic opsec.


-> don't trust anyone
-> riseup being a honeypot is just schizo talk as usual and doesn't change anything as you shouldn't trust anyone anyway, your only proof of it being a honeypot is just their reputation as a left-side group lmao. By your logic everything is a honeypot.

>>27764
>I know someone 'working' 'at' riseup.
same agency?

>>27766
Here you are posting on an imageboard one could argue is also a honeypot, behind a 'no-logs' VPN you put all your trust into.

cock.li gpg encrypted emails through tor with thunderbird or some other desktop email client, every single other option glows and you might as well use gmail instead
literally all the other providers either doesn't allow open registration (riseup), doesn't allow desktop email clients without payment (protonmail), blocks registration through tor (tutanota) or have other issues

>>27772
Cock.li 'glows' as much as riseup
Both have onions
Both don't pretend to be more secure and tell you to use gpg and tor
Cockli was invite-only for years too
Riseup just doesn't want the additional police attention Cockli has because of ransomware operators using their services (and that's most likely why cock.li was on spamhaus blocklist and is now displaying their 'red alert' page) - that's why they are still invite-only.

Can we stop pretend our own choice of email provider is superior for a moment? They all suck, because the email protocol sucks. At least Riseup, Cockli, Onionmails and a few others have onions, but that doesn't mean one is better than the other. Every one of them should be equally considered dangerous.

>>27774
>Cock.li 'glows' as much as riseup
clearly not since riseup requires you to beg for invites on the internet (leaving an unnecessary trail during registration) or getting one from a friend (if you do this and expect anonymity… just lol)
>Can we stop pretend our own choice of email provider is superior for a moment? They all suck
cock.li is the one that sucks less
before cock.li opened up registrations there was another provider that filled all the boxes but it doesn't accept new accounts anymore and i forgot what it was called (something with b and numbers i think, it was a blue and white webpage)

>>27776
>clearly not since riseup requires you to beg for invites on the internet

Here is the thing:
Riseup isn't supposed to be used for cybercrime nor it's supposed to be used by people targeted by 3 letters intelligence agencies (or for whom it won't change much as they don't do things that will led to them being in jail for a decade).
It's invite-only because activist groups know their members IRL most of the time and can give invites face to face.

You just have to read the first thing at the top of the homepage:
"Riseup provides online communication tools for people and groups working on liberatory social change."

Their userbase are not schizos from the Internet that think they will be targeted by the CIA because they sold credentials on XSS.is in november 2022, unlike Cockli. They focus on communication privacy, not total anonymity.

One of the first rules of OPSEC is 'know your enemy'. Riseup users enemies are local law enforcement and fascist groups.

>>27777
>Riseup isn't supposed to be used for cybercrime nor it's supposed to be used by people targeted by 3 letters intelligence agencies
"you're not supposed to do crime with it" is a mindbogglingly dumb way to think about this, they shouldn't be able to know what i am using their email service for in the first place
>They focus on communication privacy, not total anonymity.
cock.li doesn't "focus" on anything, it's just an email provider and it is objectively superior to riseup privacy-wise
>One of the first rules of OPSEC is 'know your enemy'. Riseup users enemies are local law enforcement and fascist groups.
and cock.li outperforms riseup for this threat model

>>27776
you are supposed to only give (and thus receive) invites irl, you fucking imbecile. that's the entire point of invites, to keep a chain of trust

>>27778
you are defending a guy that has a record of collaborating with law enforcement. if riseup is a honeypot at least it has a more discrete track record

>>27779
which ties your e-mail identity to your real identity, good job anon, privacy just went down the fucking drain
this "chain of trust" is actually an anti-user feature you're trying to dress as something positive, there is no benefit to letting the e-mail provider know that X account has real life ties to Y account
>>27780
the service cooperating or not with law enforcement is irrelevant if you encrypt your e-mail, and you should assume riseup will buckle if the pressure is enough as would any other provider
similar to how i don't care if the government seizes my FDE'd hard drive, i have a constitutional right to refuse to produce incriminating evidence against myself and if the government is willing to trample on that and torture me to get the encryption key out i'm already fucked anyway, there's no realistic counter to a threat model like this

also, i'm not "defending a guy", the entire point of my post was to point out that if you use cock.li in the way i described you do not need to trust cock.li
if you register and access your account through tor with a desktop client and encrypt all your messages then there is literally no difference between using X provider over Y provider, cock.li just happens to be (correct me if i'm wrong) the only one where this is possible currently
learn how to read

>ties your e-mail identity to your real identity
you are so terminally online you can't even conceive of using the computer to talk to people you know, or, god forbid, are part of your organization

>if I send or receive email then the server will know I'm communicating with other people
I know you only use your email to register to porn sites and anonymous social media. riseup isn't for that so feel free to never bother them

>encrypt your e-mail
I don't think you understand how pgp and email works. you can encrypt the body of the message, but the metadata (sender, receiver, etc.) are always known to the smtp server because it needs to know where to send the message

you are so online you are talking about the 5th amendment even though you are most probably not american

>>27784
>you are so terminally online you can't even conceive of using the computer to talk to people you know, or, god forbid, are part of your organization
why would you give the provider the information that a certain account is a certain someone? you can still tell people IRL your e-mail address without telling the provider that information
can you answer already? this is the third post in a row where i ask this simple question and get no answer in the reply
>I know you only use your email to register to porn sites and anonymous social media. riseup isn't for that so feel free to never bother them
you, cock.li and law enforcement can't possibly know what i use my e-mail for since it's encrypted, isn't that great? :^)
>I don't think you understand how pgp and email works.
yeah cybersecurity is literally how i earn my salary but go ahead, let's hear your lecture
>but the metadata (sender, receiver, etc.) are always known to the smtp server because it needs to know where to send the message
if we're assuming that you just send and receive e-mails to individual addresses this is correct, congrats
but allow me to blow your little mind: have you ever considered publishing the PGP encrypted messages without the public key ID? you might be asking yourself how that's possible with e-mail, but if you were a little older and more educated on the subject you'd be able to instantly make the connection between hidden recipient PGP encryption and mailing lists or sending the same encrypted message to multiple addresses
>you are so online you are talking about the 5th amendment even though you are most probably not american
america is not the only country that has a constitutional right to not produce incriminating evidence against yourself you retarded faggot
1. https://www.planalto.gov.br/ccivil_03/Constituicao/Constituicao.htm#5LXIII
2. (art. 8º, 2, g)
3. PIDCP (art. 14, 3, g)

>>27785
>2. (art. 8º, 2, g)
2. CADH (art. 8º, 2, g)*

>>27779
>which ties your e-mail identity to your real identity, good job anon, privacy just went down the fucking drain
this "chain of trust" is actually an anti-user feature you're trying to dress as something positive, there is no benefit to letting the e-mail provider know that X account has real life ties to Y account

Hey I'm back
As I said before:
The benefit is less law enforcement heat because of less ransomware operators using their services. But anyway, if I recall correctly Riseup deployed end to end encryption after their 2016 gag order (not sure)
I hope this helps.

As for the "which ties your email identity to your real identity" comment, yea, maybe, if they do physical surveillance or if someone you know IRL speaks to the police, yea. But riseup users are not using the service for whatever you do. It's an activist platform, not for whatever you are trying to hide. Most users of Riseup are doing legal stuff or are proud of their crimes. They don't do bomb threats or distribute child porn, so the chances of law enforcement going as far as doing IRL surveillance or your invite-giver snitching are almost non-existent. Again, 'know your enemy', you should understand what it means as someone working in infosec.

>"you're not supposed to do crime with it" is a mindbogglingly dumb way to think about this, they shouldn't be able to know what i am using their email service for in the first place
When requestion/using a riseup email, you are stating that you are an activist for social change, because that what the service was created for.
You are also accepting their ToS, which states you should not use their services for cyberattacks nor distributing child porn.
Hope you understand that you are just not they target user.

>clearly not since riseup requires you to beg for invites on the internet
"Do not trade, sell, publicly give away, or publicly offer invites to people you don’t know." Again, it's in their ToS, as it's supposed to be shared face to face with people you trust.

>>27787
>The benefit is less law enforcement heat because of less ransomware operators using their services.
law enforcement (or even intelligence agencies) can't investigate every single account using the service, the only thing that matters is that
plus, don't you think that using a service that is more popular draws less heat to (You) individually?
>if I recall correctly Riseup deployed end to end encryption after their 2016 gag order (not sure)
there is no difference to the user if their PGP encrypted messages are stored in plain text or encrypted, you shouldn't trust your security to a third party if you can avoid it
>But riseup users are not using the service for whatever you do. It's an activist platform, not for whatever you are trying to hide.
full disk encryption works just as well for me as it does to a criminal, same goes for PGP, Tor and understanding how e-mail works
>When requestion/using a riseup email, you are stating that you are an activist for social change, because that what the service was created for.
which is adding unneeded risk to you being rekt for no reason
the real reason people gravitate to riseup is because of the "lefty" and "le activist" aesthetic, people don't want to use the stinky service that serves optional [email protected] aliases lol
BUT, from a purely functional perspective, cock.li is objectively superior to riseup when it comes to protecting your privacy, if you're serious about security i'm sure you'll understand why it's preferable to lock your door with an ugly key rather than keep it open
>"Do not trade, sell, publicly give away, or publicly offer invites to people you don’t know." Again, it's in their ToS, as it's supposed to be shared face to face with people you trust.
the cock.li TOS is "don't do crime" and they won't ever know you're committing crime since the e-mails are encrypted, and if for any reason you're banned you can just register another account with 0 repercussions
riseup is notorious for doing shit like this where they ban the account + the people who invited them https://old.reddit.com/r/emailprivacy/comments/15gibcy/my_experience_with_riseupnet_banned/ you can find hundreds of complaints online about this stuff
i don't want to surrender my privacy to someone who can just ban me on a whim and prevent me from creating another account, there is absolutely no reason to do so

>>27788
>the only thing that matters is that
the only thing that matters is that communication through cock.li is objectively more secure than riseup

>>27788
>don't you think that using a service that is more popular draws less heat to (You) individually?
Absolutely not.
German law enforcement requested the totality of Riseup donators infos to the payment processor back in 2017.
Cockli is under 'attack' because they are big and popular.
Windows get more CVE per year because they are more popular

>there is no difference to the user if their PGP encrypted messages are stored in plain text or encrypted, you shouldn't trust your security to a third party if you can avoid it
I agree
But why are you saying "the cock.li TOS is "don't do crime" and they won't ever know you're committing crime since the e-mails are encrypted" in the same post lmao?
They both do. You should use GPG on both.

>BUT, from a purely functional perspective, cock.li is objectively superior to riseup when it comes to protecting your privacy, if you're serious about security i'm sure you'll understand why it's preferable to lock your door with an ugly key rather than keep it open
Again, I don't think you understand who's using riseup. Hint: Not internet schizos who think the CIA will target them specifically like 99% of cockli users (the other 1% are doing cybercrime or CSAM)

>riseup is notorious for doing shit like this where they ban the account + the people who invited them https://old.reddit.com/r/emailprivacy/comments/15gibcy/my_experience_with_riseupnet_banned/ you can find hundreds of complaints online about this stuff
Riseup ban bad actors, yes. Funny how I never had a single problem with them nor do I know anyone getting banned for using their services.
The post you linked was obviously trying to scam or SE people with that name or it's only a partial story.

>the only thing that matters is that communication through cock.li is objectively more secure than riseup
No. At this point I'm sure you are just mad because you can't get an invite and feel rejected.
Stop pretending to be stupid please.
Both services are fine. Your only point is Riseup being invite-only. Which is a decision to keep the heat lower. And again, Cockli was invite only for years too, they stopped being invite only and -surprise surprise- they are in crisis mode because of law enforcement heat, went at the edge of closing lmao. But you can pretend it's not important. Some people want -and need- to keep their email address and not fearing of being unreachable because the service got too hot as it was used by ransomware operators.

>>27802
>cock.li is being threatened with closure by glowies
<riseup continues to operate with absolutely no pressure from the powers that be
this was supposed to be a dig at cock.li? if riseup actually threatened them like cock.li they wouldn't be this comfortable, plus the fact that they want to crack down on cock.li shows that it's a service that serves your privacy well, otherwise they would attempt to infiltrate and subvert rather than shut down
i rest my case

>>27803
They are not threatening Cockli with closure. Vince wants to close it if they try anything. Not the same thing.
It's understandable but some people would prefer to keep being reachable as it wont change anything for them (GPG use + metadata being already spied on anyway) and they may need it as it's their only mean of communication with some people (like a journalist and his source, just for example).
And it may not even be true at all, for all we know maybe Vince is just trying to grab a few $. I hope not but it's a possibility.

>riseup continues to operate with absolutely no pressure from the powers that be
They were under 2 FBI gag orders a few years ago. Idk but that's some pressure.
Now they have onions, end to end encryption (irrc) and still push people to use GPG and keep ransomware operator at bay with their invite only system, that may explain why they have less pressure.

Again, please stop acting like you don't understand that. I think, I hope (as you said you work in infosec), you are just -acting- stupid.

Could I get a code too?
[email protected]