Riseup Security Bulletin

As you have probably read, there are three related security problems in contemporary CPUs. These vulnerabilities open the potential for a nefarious program to steal passwords, secrets, and personal information from you computer, even if the program is just Javascript loaded from a web site you visit. These vulnerabilities are as serious as they sound, and you should take action to upgrade your software.

* The first flaw, called “Meltdown,” affects nearly all Intel CPUs and has been fixed with updates to most operating systems.

* The two other flaws, called “Spectre,” apply to nearly all CPUs built in the last 20 years, not just Intel, although they are more difficult to exploit. There are no permanent fixes for Spectre available at this time, although if you update your software you will make these attacks much less likely.

You should take *both* these steps now, for all your devices:

(1) Upgrade your web browser (see below). These fixes make the new attacks against CPUs more much difficult.

(2) Upgrade your operating system. There are updates available for Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for Intel CPUs and provide some mitigations for Spectre. Additionally, new releases of iOS and Android have mitigations for Spectre.

Better fixes will continue to arrive in the next weeks/months for your operating system and software. Please keep your system up to date!

Browsers
————————-

By updating your browser, you can make it significantly harder for an attacker to steal secrets off your computer using Javascript loaded from a web site you visit.

Firefox version 57.0.4 and later includes mitigation measures against Spectre attack [1].

Edge has been updated to include Spectre migitations. When you apply the latest Windows update, you will get the new version of Edge.

Safari will be updated very soon, according to Apple. Check the App Store updates.

Chrome will include Spectre mitigations starting with version 64, to be released Jan 23. In the mean time, you can change your configuration to greatly mitigate against the Spectre vulnerability by enabling “site isolation” https://support.google.com/chrome/answer/7623121?hl=en

Additionally, please see https://riseup.net/en/better-web-browsing for instructions on best practices for securing your web experience (which will also help mitigate against these new attacks).

Windows


For Windows 10, you must first upgrade any anti-virus software before upgrading Windows. Failure to do so may make your computer stop working. [2]

To upgrade Windows 10:

> Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.

Now is a good time to enable automatic updates:

> Select the “Start” button, then select “Settings” > “Update & security” > “Windows Update” > “Advanced options” and then under “Choose how updates are installed”, select “Automatic (recommended)”.

If you are running Windows 7 or 8, an update is also available.

macOS


If you already have macOS version 10.13.2 then you are protected against Meltdown [3]. Otherwise, to upgrade macOS:

> Open the App Store app on your Mac. Click “Updates” in the App Store toolbar, then use the “Update” buttons to download and install any updates listed.

Now is a good time to check enable automatic updates:

> Select the Apple menu, then select “System Preferences” > “App Store” > “Automatically check for updates”.

Apple plans to soon release an update to Safari browser to provide some mitigation against Spectre.

iOS


Apple has said that iOS is affected by Spectre, and an update to mitigate against most of the new attacks has been released. If you have iOS version 11.2 or later, then you are good [3]. To check for new updates, go to Settings > General > Software Update.

Android


The bad news is that Android is vulnerable to Spectre and unless you have a Google-branded phone or run a custom firmware you might not get an update for months, if ever. However, the consensus among security researchers at the moment is that the Spectre attack is difficult enough that there are probably easier ways to compromise an Android device. Yeah?

There is one thing you can do now to make your Android device more safe against these new CPU attacks:

* Turn on “site isolation” in Chrome: https://support.google.com/chrome/answer/7623121?hl=en
* Upgrade Chrome Browser after Jan 23.
* Alternately, use Firefox for Android.

Debian/Ubuntu GNU/Linux


Run “Software Center” or “Software Updater.”

Alternately, open a terminal and type:

sudo apt update
sudo apt upgrade
sudo reboot

Fedora GNU/Linux


Open a terminal and type:

sudo dnf –refresh update kernel
sudo reboot

Stay safe, keep strong,
The Riseup Birds

[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
[2] http://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/
[3] https://support.apple.com/en-us/HT208394

[en] [es] [fr]

Advertisements

Riseup Newsletter

Riseup have been showering us with newsletters just lately so we haven’t had time to publish them all, maybe if you send them some money, they’ll ease up!

Hey you!

Yeah you, over there with the big dreams and the sweet heart. Can you give some money to Riseup today? We could really, really use it. Give a little, give a lot! We are super grateful for any and all help to keep our tech collective going.

Why should you support Riseup? Well, we do all kinds of cool stuff, like make new ways to share files securely (https://share.riseup.net/), offer some of the safest VPN on the planet (https://riseup.net/vpn), have cool communication tools (https://we.riseup.net/), and provide a ton of email and lists to all of our users.

And why do we do this? The deep reason is we believe in your projects and work, and your right to more secure and private communications. We support tens of thousands of people and groups working on community building, anti-racism, political art, indigenous rights, health care, the environment, and so much more. We support documentary film makers, organic farmers, pipeline resisters, tech activists, people learning more about politics, and people who’ve been part of justice movements for decades, to name a few.

As an Argentinian social activist who uses Riseup to help victims of domestic violence and human trafficking wrote, “The value of having secure means to speak to other people about topics that those in power don’t want to be talked about cannot be overstated.”

We agree! Please keep us existing and thriving.

donate

Love,
The Riseup Birds

Also, we have The Super Deluxe Bread and Roses Riseup Raffle [1]

Two lucky people who donate to Riseup will receive a big box of fair trade chocolate, amazing print art, mounted protest photography, top shelf radical science fiction, the blackest coffee, bleeding edge political nonfiction, a 2018 organizer, and more!

If you already have a recurring donation, you will be in the raffle! If you donate through paypal or flattr there will be an email associated with your donation and we will use that to enter you into the raffle. If you are sending a donation by mail, please include an email address with your donation. If you send a wire transfer, please email raffle@riseup.net and provide your donation details.

Huge thanks to the beautiful friends who made these donations possible: : AK Press, Aqueduct Press, Equal Exchange, Justseeds, PM Press, Riseup Coffee, the Slingshot Collective, Linda Wasson (earthdocumentaryresistance.org), and our very own Black-collared Jay.

[1] Rose Schneiderman, a labor union activist, coined the phrase “Bread and Roses”, to indicate a worker’s right to something higher than subsistence living

[de] [pt] [es] [fr]

Riseup newsletter Aug 2017

[en, de, pt, es, fr]

Use share.riseup.net to share files with your people


A friendly reminder about one of our favorite Riseup tools:

share.riseup.net. It’s useful for when you want to share something with your comrades, but your file is too big for an email attachment. Share.riseup.net temporarily shares those large files. Simply press the upload button, select your file, and then share the URL with anyone who you want to share the file with. The link will work for about a week.

To get more technical, share.riseup.net is an easy to use client-encrypted “pastebin” and “imagebin” that we host. When you share a file, it is encrypted before leaving your computer, so we don’t have a copy of what you are sharing. Please note: this kind of client-side encryption, where the program comes from the server can be bypassed if the provider adds a back door. We don’t have a back door, but it is difficult to verify this. For security where you are not putting your trust in anyone, you need to use an encryption application that is not web-based.

Accessibility Help


Riseup offers lots of services, and we know all of you have different bodies with different abilities and barriers in the daily use of these services.

Our core mission is to make liberated communications for all, and we want to make Riseup easier for all bodies to use. We need your help to do that. If you have difficulty using Riseup, please tell us about it by writing to accessibilty@riseup.net. From your feedback, we will know where we should focus our efforts to improve the accessibility of Riseup services.

Your Sent mail folder


We no longer are doing automatic deletion of messages that are older than 120 days from your “Sent” folder. Beware: now this folder can pile up with all of your manifestos and eat up your quota. Messages in “Trash” will still be deleted after 21 days, and messages in “Spam” will still be deleted after 7 days.

Thanks


Thanks to all the thousands of people who gave us money over the last couple of months to keep us going. This project to bring secure communication tools to the unruly masses is our heart and soul, and you make it possible. Any more money any of you can donate would be amazing.

Thanks.

donate

Message from Riseup: Single Invite.

Single Invite [en, de, pt, es, fr]

Because Riseup does not tie user account creation to a phone number or credit card information, many people attempt to obtain Riseup accounts for the purpose of sending spam or phishing email.

In the past, we asked people to write a short description of their activism in order to try to eliminate these scammers. Unfortunately, over the years, this has been excellent training for teaching scammers how to sound *exactly* like activists. It got to the point where if an account request sounded too inspiring and awesome, it was probably fake. This has been a huge problem for us.

Another problem is that whenever a Riseup bird leaves their cozy nest, someone always mentions that they tried to get a Riseup account and were rejected. Many apologies! We were not judging you. It is likely that you sounded too wonderful and therefore seemed like a scammer.

In light of this, we have made two changes:

(1) We have removed the ability to request a new account.

(2) We have simplified the process of creating a new account with an invite.

It now only requires a single invite in order to create an account, and every user is able to create more invites. In order to create an invite for someone, log in to https://account.riseup.net

To prevent abuse, new users are not immediately able to create invites. We are hopeful this will make life better for everyone.

Personally Encrypted Email Storage


After much effort, we are happy to announce a new feature! We have taken action to ensure that Riseup never again has access to a user’s stored email in plaintext. Now all new Riseup email accounts will feature personally encrypted storage on our servers, only accessible by you. In the near future, we will begin to migrate all existing accounts to use this new system.

To be absolutely clear, this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in. For full end-to-end email encryption, as before, you must use a client that supports OpenPGP (and is not web-based).

We are working to roll out a more comprehensive end-to-end system in the coming year, but until that is ready, we are deploying personally encrypted storage. This new per-user encryption is on top of the system full disk encryption which we have done since 2001.

If this doesn’t really make sense, we’ve done our best to explain it more fully at:

WARNING: Once an account is using the new system, the ONLY way to reset your password is with a recovery code. One of the downsides of us not having your information is that we do not have your information. This means you MUST write down your recovery code and keep it in a safe place. If you lose your password and your recovery code, your email will be IRREVOCABLY LOST and it will be technically impossible for us to recover it.

New and Improved!


We’ve recently switched to new systems for account management and support. The old system was first started nearly 10 years ago, lacked some modern features, and was getting to be a burden to maintain. To adjust your account settings, you can now go to https://account.riseup.net
To file (and help answer!) support tickets, go to https://support.riseup.net

On a related note, we’ve answered as many of the help tickets from the old system as we could and turned it off. If you submitted a ticket there and still need help, please file a ticket in the new system.

Riseup Translators Are Awesome!


If you are reading this (or any Riseup web page) in a language other than English, you have the Riseup translators to thank! They do a great job of making sense of our tech jargon and English idiom-filled writing, translating not just words but modern concepts and politics. Thanks to all our translators!

We are not a Business


Riseup is not a business. We are not in this collective to make money. We do this because we believe in the project of supporting activists changing the world for the better. We believe in making better tools for you and you to communicate and organize with. We are not a business, and yet, and alas, we do need money to keep the machines working, to pay the bills. and to pay for the labor that keeps everything working all the time.

It’s been a while since we sent a newsletter out because we’ve been super busy creating new systems and technologies that we think will help all of you. Because of that, we’re behind on fundraising goals. Please donate today, if you can!

Last, We Love You


Thanks to everybody that has supported us during the recent changes with your ideas, code, words of support, money, trust. Thanks for all that you do in your struggles around the globe to advance social justice, resist fascism, and make the sunshine a little brighter.

With Love and solidarity,
Riseup, your friendly radical tech collective

Message From Riseup: Crisis averted! Krise abgewendet! Crise evitada!

[en] English – Crisis averted!
[de] Deutsch – Krise abgewendet!
[pt] Português – Crise evitada!
[es] Castellano – ¡Crisis superada!
[fr] Français – Une crise évitée
[it] Italiano – Crisi evitata!

[en] English


Crisis averted!

Thanks again to all the people who contributed in September in response to our urgent appeal. Your generous response was overwhelming and inspiring.

Many people grew alarmed after reading our last newsletter, and wrote us to ask how serious our situation actually is. Yes, our financial situation has been dire. It is also true that Riseup has weathered lightning strikes, melting computers, internal conflict, illness, national borders, and a car crash. We cannot confirm the alien abduction. Riseup is a quixotic project: the thing we do is persevere, against all reason.

Somehow it works, but this is not a sustainable way to operate. What would it look like if Riseup was run properly? Help tickets would be answered in a timely manner, our services would be more reliable and more secure, and you would not need a different account for each different service. Most importantly, Riseup would be more accountable and more responsive to the needs of the communities we seek to serve. Although your generous support has averted our current crisis, Riseup does not yet generate the donations or the volunteer labor needed for Riseup to thrive.

This means we are going to keep asking for your support! If you missed out, it is never too late to donate. Please visit https://riseup.net/en/donate

Quota increased

Back in June, we said we would put all donations received that month toward increasing quota. We received enough money to double quota, and we will be increasing quota again as soon as we can. A few things to remember about quota:

* Riseup has a “default” starting quota, but you can also optionally double your quota by logging in at https://user.riseup.net

* If you changed your quota in the past, you do not automatically get higher quota now that the limit has been changed. You need to login to https://user.riseup.net to do this.

* If you would like increased security, and better control over your own data, we suggest that you consider using POP instead of IMAP or web-mail. With POP configured to remove messages from our servers, you will never need to worry about quota or Riseup storing your email. For more information, see: https://riseup.net/en/email/clients

Security practices for everyone

Computer security is hard, and even big corporations get it wrong most of the time. What is an activist to do? There are four easy first steps that you should take to get started:

(1) Do not open email attachments. Honestly, just don’t do it, ever. Email attachments are the single most common cause of security problems. If you must open an email attachment, first contact the sender and confirm that they sent it. In general, you can never trust the identity of the sender [1].

(2) Use a password manager. Some password managers are better than others, but what really matters is that you start using one. Let your beautiful brain fill up with something better than passwords. Remember one long password, and let the computer remember everything else.

(3) Keep your software and operating system up to date. The sad reality is that technology is a never ending treadmill of doom. If you are running old software, you are probably exposing yourself to all sorts of known vulnerabilities that an attacker can take advantage of.

(4) Check out our Better Web Browsing tutorial: https://riseup.net/en/better-web-browsing

[1] Technical note: It is possible to verify the identity of the sender, if the message is signed with OpenPGP or S/MIME. Otherwise, even technically savvy people need to exercise extreme caution (for example, DKIM doesn’t prevent domain name homograph attacks, a phishing method using similarly looking characters. Our help page on Phishing – https://riseup.net/en/phishing – has more info).

Read more [de, pt, es, fr, it]

Riseup financial update [en, de, pt, es, fr, it, el]

[en] English – Riseup financial update


The news is not good

We hate to be bad news birds, but we need to tell you that Riseup will run out of money next month. We had a number of unexpected hardware failures, lower-than-expected regular donations, and a record year of new Riseup users which puts more financial pressure on us than ever before.

We need your help to keep things going this year, so we are starting a campaign to ask Riseup users to give us just one dollar!

Can you give us a dollar? There are a lot of easy ways to do it: https://riseup.net/donate
Is it really worth giving just a dollar?

Yes! It might seem inconsequential, but if you and every Riseup user gave us just one dollar, that would  fix our current financial problem.

Riseup is now delivering over a million messages a day, but we need your help if the messages are to keep flowing. You know the importance of alternative infrastructure. You know the importance of communications systems that put people before personal tracking and corporate profiteering. We *need* at least 5% of our users donating monthly to be sustainable. Can you become a monthly donor?
Spread the word

Are you friends with a carrier pigeon? Do you know Morse code? Are you skilled in building signal fires? Help us spread the word about this campaign with your community. You can even use the internet, that might work too.

Not everyone can afford a dollar to donate. We provide services to so many people and social movements around the world, many in places where even one dollar is a lot of money. If you can give us one dollar, maybe you can cover one other person by giving two?

In Europe it is now easy to give to Riseup with a simple bank transfer! Tell your friends that it is finally easy.

Thanks!

Really! Truly! Thanks for all that you do, day in and day out, on our long march toward making the world a better place. If you can, help us continue our work, too. That would be excellent. https://riseup.net/donate
[en, de, pt, es, fr, it, el]