Security - All About Crabgrass - groups

1 English version
2 Version française
3 Versión en castellano
4 Deutschsprachige Fassung
5 Ελληνική έκδοση

English version¶

Unfortunately, it still requires a high degree of tech savvy in order to communicate securely. By keeping communication enclosed on a single, high-security server and by making it clear who the authorized audience is for a particular message, we can achieve a very high degree of privacy and ease of use.

The first install of crabgrass, hosted at we.riseup.net, is configured to only allow https connections and all data is stored on an encrypted harddrive.
In case of a server seizure the data on the harddrive would not be accessible because the keys are not stored on the server.

While running the server has access to the data. That’s how it can serve the data to you after all. If the server would get compromised while running the attacker could read out the data.

Another option is share.riseup.net – it encrypts the data on the fly in your browser before it is uploaded. The url for the data includes the key. So everyone who has the url can download the data. But the server never get’s to know the key as it’s in the part of the url that does not get send to the server (after the #).
Even for share.riseup.net – if the server is compromised it could send a malicious javascript alongside the shared document to get it or the key from the browser that is decrypting it. But – a malicious server could not read documents that are not accessed anymore.

All in all the web is still a bad environment for crypto. If you want to protect yourself from malicious servers better encrypt the data on your computer. (Hard drive encryption for yourself, pgp for sharing data).

Version française¶

<< sommaire

Malheureusement, il est toujours nécessaire de posséder une bonne dose de connaissance technique pour pouvoir communiquer de manière sécurisée. En conservant les communication sur un seul serveur, fortement sécurisé et en définissant clairement qui peut accéder à un message, nous pouvons parvenir à un très haut degré de confidentialité tout en conservant un outil simple à utiliser.

la première installation de crabgass, hébergée sur we.riseup.net, est configurée pour ne permettre que les connexions chiffrées (https) et toutes les données sont enregistrées dans un format chiffré. En cas de saisie, les données sur le disque ne sont pas accessibles car les clefs ne sont pas stockées sur le serveur.

Quand il tourne, le serveur a accès aux données. C’est ainsi qu’il peut vous servir ces données après tout. Si le serveur devait être compromis alors qu’il tourne, l’attaquant pourrait lire les données.

Une autre option est share.riseup.net – ça chiffre les données à la volée dans votre navigateur avant de le téléverser. L’URL des données comprend la clef. Ainsi, toute personne ayant l’URL peut télécharger les données. Mais le serveur n’a jamais accès à la clef comme elle est dans la partie de l’URL qui n’est pas envoyée au serveur (après le #).
Même pour share.riseup.net – si le serveur est compromis, il peut envoyer un javascript malveillant avec le document partagé pour en récupérer le contenu ou la clef à partir du navigateur qui le déchiffre. Mais un serveur malveillant ne peut lire un document qui n’est plus accédé.

Le web est toujours un mauvais contexte pour la crypto. Si vous voulez vous protéger des serveurs malveillants, il est préférable de chiffrer les données depuis votre ordinateur (chiffrement du disque pour vous-même, PGP pour chiffrer des données à partager).

Versión en castellano¶

<< Resumen

Desafortunadamente, todavía requiere un alto grado de astucia técnica comunicarse con seguridad. Tanto manteniendo la comunicación contenida en un sólo servidor con alta seguridad y dejando claro quién es la audiencia autorizada para un determinado mensaje, podemos lograr un alto grado de privacidad y facilidad de uso.

La primera instalación de crabgrass, hospedada en we.riseup.net, está configurada para sólo permitir conexiones seguras (por https) y todos los datos están almacenados en un formato seguro.

Deutschsprachige Fassung¶

<< Inhaltsverzeichnis

Leider bedarf es immer noch einigen technischen Verständnisses um vertraulich zu kommunizieren. Über einen einzelnen Hochsicherheitsserver, und auf Einträge anwendbare Zugangsbeschränkungen, können wir einen hohen Grad an Vertraulichkeit und einfache Bedienung gewährleisten.

Die erste Installation von Crabgrass, gehostet auf we.riseup.net, lässt ausschließlich Verbindungen via https zu und alle Daten werden auf verschlüsselten Festplatten gespeichert.

Während der Server in Betrieb ist, hat er Zugang zu allen Daten, sonst könntest du seine Dienste gar nicht erst nicht in Anspruch nehmen. Sollte der Server während des Betriebes kompromittiert werden, könnte di*er Angreifer*in die Daten auslesen.

Eine andere Option ist share.riseup.net – es verschlüsselt die Dateien bereits bevor sie hochgeladen werden. Die URL für die Daten enthält den Schlüssel. So kann jede*r, di*er die URL hat, die Daten herrunterladen. Der Server erfährt allerdings nie den Schlüssel, weil jener Teil der URL (nach dem #) nicht an der Server gesendet wird.
Aber selbst bei share.riseup.net: Sollte der Server kompromittiert werden, könnte er neben der geteilten Datei ein böswilliges Javascript mitsenden, um an die Datei oder den Schlüssel heranzukommen den der Browser zum entschlüsseln benutzt. Allerdings könnte ein böswilliger Server keine Dateien auslesen, auf die nicht mehr zugegriffen wird.

Alles in allem ist das Netz immer noch keine gute Umgebung für Krypto. Wenn du dich vor böswilligen Servern schützen möchtest, solltest du Daten lieber auf deinem Computer verschlüsseln. (Festplattenverschlüsselung für dich selbst, PGP wenn du Daten mit anderen teilen willst)

Ελληνική έκδοση¶

<< πίνακας περιεχομένων

Δυστυχώς, χρειάζεται ακόμα τεχνική ευφυία σε μεγάλο βαθμό, για να επιτευχθεί ασφαλής επικοινωνία. Με το να διατηρείτε η επικοινωνία σε ένα μοναδικό, υψηλής ασφαλείας διακομιστή, και με ξεκάθαρο το ποιοι θα είναι το εξουσιοδοτημένο κοινό για ένα συγκεκριμένο μήνυμα, μπορούμε να επιτύχουμε σε πολύ μεγάλο βαθμό τη προστασία της ιδιωτηκότητας και ευκολία στη χρήση.

Η πρώτη εγκατάσταση του crabgrass, που φιλοξενείται στο we.riseup.net, είναι ρυθμισμένη να επιτρέπει μόνο ασφαλείς (https) συνδέσεις και όλα τα δεδομένα είναι αποθηκευμένα σε κρυπτογραφημένη μορφή.


Snaky Love 2011-01-26	How exactly is server-site encryption realized?


nikkinomad 2011-02-16	on the subject of security (& I’m still quite a newbie) but how do we remove a member/profile from our group? If a profile is clearly identified as erroneous or a security threat how do we remove them from our group? we’ve set up a coordinating council but there doesnt seem to be any clear guidance on how to go about this. There seems to have been a significant amount of infiltration activity recently here in UK, and ther profile we wish to remove has been verified as warranting immediate removal? Quick help would be really appreciated!


greenearth 2011-02-28 2011-03-01	Whats to stop another more subtle infiltration attempt? (assuming thats what it is). Nothing – unless you totally close the group off, or only allow new people to join that have been positivly verified in the ‘real world’ by LSD test/Jah guaidance circle or whatever….i.e, basically making a genuine anti babylon, occult circle reality that will not just out cops by the way, but also do some amazing magic!…and hence perhaps the reason why cops can infiltrate activist groupings in the ‘real world’ – the heavy presence and influence of ultra materialistic politicos. (or maybe as I am certain in the case of the great big famous ‘dongas’, who are well into magic/paganism, a ‘babylon compliant’ occult circle, either because they simple reflect the reality of mainstream western society around them anyway, or because they are/were totally compromised by MI5, as I assumed at the time – rather than the regular policeforce. I would say that MI5 are even more on the pyscological con trick/blag than the regular cops..I could tell you a real horror story about that one….‘donga’ reality as regards babylon ritual abuse system, but I’ll save it for another time). I met Mark Kennedy (the infamous undercover cop) by the way, at London 2007 Anarchist Bookfair afterparty at Rampart ‘Anarchist’ autonomous centre in Hackney. I was in the process of foculising Jah Guidance circle, passing round sacrament of outdoor grown organic ganga. Kennady rejected this…left the room with his woman. Disscussion was about testing for undercover cops by LSD test. Kennedy woman (the red haired one) was outraged that people might be dosed with LSD without consent. The inner clique of the activist centre there was totally within the psycological/spiritual control of the cop/babylon. You have to break their ego control, over themselves and others, in the right setting…that is gonna be diffcult in the activist scene in the UK as it is now – with its very materialistic, politico and headstrong/egotistical individuals…and the state will wanna keep it that way. I did wonder where the convoy crowd were at that event, seeing as it was suppost to be an anarchist event! Weird..seriously it was weird. Wheres the convoy?! Kennedy etc would never have survived that test. AsI left the Rampart event Kennedy was on the door. He said to me something like ’’your’re banned’’, saying ’’he’s a cop’’ to the 20 year old kids around him. Cheeky cunt! (kennedy was an ‘oldy’, like me by the way. He was late 30’s…only a few people there that old.) Listen youthman – if you habe a real anarchist collective consciousness reality, then you will also have a ‘karmic trap’ for babylon ritual system and its agents, and thus such realities cannot be infiltrated, and will break babylon control in the undercover cops mind, either him going horribly insane and his ego fights universal energies, or he/she comes over and is double agent for us – which of course be mind blowingly useful! (paperwork evidence/heirarchy orders of agent provacation/pys ops, access to intellegance files etc etc etc. …so unless positivly sorted otherwise, assume any publically available/accessable type relevant activist grouping is infiltrated, and so dont talk about any illegal activities or otherwise unless you want the state to know about it. It must be horrible for those friends of Mark Kennedy to know that the state knows absolutely everything there is to know about them…but as you might guess, I’m not entirely sympathetic because many of these activists and groups are very very annoying in various ways, and the crux is, as said, babylon system and agents should not be able to infiltrate a suppossed anarchist/tribal sovereignty group in the first place. (another matter on the internet) I would urge respect for Native American traditionals by the way…speaking specifically about the Makah whaling issue…and so thus another crux issue that will cause issues for many activist groupings due to the attitude of born again evanjelical animal rights extremist individuals in these groups, who always seek to impose their views on the group that they are part of. It should be noted that many cyber activities are carried out by places like the Rampart centre by the way, and again I emphasise that the energy of the operation there was totally compromised by the babylon. (as well as the material intellegence gathering type factor). I read somewhere that Mark Kennedy sold Extasy on occassion. With that drug setting would be crucial (to foculise a sound occult collective reality, such as the old school Exodus festivals)…like I suggest, LSD in a UK peace convoy context would be a totally different matter, and I think its fair to say, a test Kennedy etc would fail. Jah Bles


greenearth 2011-03-13 2011-03-13	I posted this up on Indymedia UK on a ‘features’ Mark Kennedy etc thread. It was deleted…due to I would say the arrogance and ego on the inner circle people in that scene..and there has to be the possibility of state/government agent infiltration of Indymedia UK moderation.(at least in terms of energy control). I mean it would b naive to think otherwise in terms of actual agent penetration. Not only did the material get moderated/censored off, but in the ‘real world’ the self same people subsequently attempted turn the process I describe above (Exodus chaos trap for babylon, type thing) against me in a convoy…or at least ‘new age traveller’ (UK hippy travellers) setting. (you could say convoy are new age travellers, but new age travellers are not neccessarily convoy, which is kinda more tribal). So anyway. I’m outa the game. Enough.


Nate 2016-02-06	Can we get a better explanation of how security works on Crabgrass? Is the encrypted server zero-knowledge? How much access do super-admins have to a private group? Can a seized server have its encryption broken? What if they pressure a super-admin to open up the contents?


azul 2016-02-06	Thanks for bringing this to my attention. I updated the description.


Nate 2016-02-12 2016-02-12	Thanks, Azul, that was helpful and informative. I also understand that the “server” has access to our data while running. However, (and I realize this may be an ignorant question, but) does the superuser status of the system administrators grant them access to my group areas and private pages, even if I have not explicitly granted them access?