Technical security

As a collective we have a responsibility to act carefully and compassionately when it comes to security of the users of both our physical and internet spaces. There are some things we do well and some things we need to work on. If you have questions you can email us at info@spartacusbooks.net.

Website

This website is served over HTTPS only with legacy TLS versions disabled. This website is also available as a TOR hidden service at http://spartyiv5gf77hab.onion/ (this is just being tested now, there may still be request leakage to our main site).

Store tech

We operate a wireless network in the store (Spartacus). This network is open to anyone using the space. We store no logs of network usage beyond a list of recently connected devices with their hostnames and MAC addresses. We regularly audit this data for suspicious clients.

We provide two public computers for anyone to use. These computers run a Debian flavour of linux. We keep them up to date as much as we can. We store no logs on these machines (and are working toward reimaging them regularly). However, we encourage folks to use Tails or another live operating system on these computers if they are concerned about security.

Events/volunteer application

Our events calendar and email is hosted by Google. You should consider the security implications of sending us information via email or the events/volunteer form. Collective members can help with a lot of things in person at the store, avoiding email altogether.

Email

We can accept PGP email sent encrypted with our public key (fingerprint = 25C3 A3D3 5DD5 FB19 CBC8  1704 EDE2 4E51 2DE5 47FF). And we will send you back email encrypted as well. It may take longer to receive a response if you use PGP as not many collective members can use PGP.

Canary

See https://riseup.net/en/canary for explanation on what a canary is. The below canary is signed with our signing subkey (fingerprint = 263F 6812 3BA2 CC67 F18A 1CB3 AC78 BC6C 7875 F028).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Spartacus Books positively confirms that to the best of our knowledge the integrity of our systems are sound. We have not disclosed any private information, and we have not been forced to modify our system to allow access or information leakage to a third party. We have not been forced to install equipment (eg: recording/monitoring devices) in our store that could impact the privacy of those who use the space. 

This canary will be signed on the following dates:

* March 8
* June 8
* Sept 8
* Dec 8

We will include a link to a recent news article [1] in each update to establish that the signature was not pre-generated. 

Signed on Dec 9th, 2020 (sorry its late!) by the Spartacus collective.
 
[1] https://www.burnabynow.com/local-news/cn-police-retroactively-arrest-serve-fines-for-burnaby-tmx-protests-3165934
[2] https://www.cbc.ca/news/canada/edmonton/covid-alberta-reatrictions-1.5832682
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEJj9oEjuizGfxihyzrHi8bHh18CgFAl/RHVcACgkQrHi8bHh1
8Cjhsg//blrGj4Gl6RNmKt4Hu4Sd1pTI/DF+K7POSwIjSRXxqiHayyUs+Hnk9MpJ
34ohJrtdNAgmhCCetZwtUK4k6FbscZGOVN5NB/9gEA6mcJQBrl6I6MNuZFKj/Uhb
mUkD6DLTbpdgnrMyK94NxEXBBabK9JiH6NU8a793pLCOoBKE0RKnKvpmcyezZi4Q
d8qAO6p9wlXtwNsS1opHYeR1y/ZyFC73J9bNW6ileG+HN/7Gtw3oHYPW8dzsGzm0
FHVb0RF0hcvPbXTmNyWWJAxE1K5i8EeHeBl2gFPlsCRHwyiF6yB3VFCSVnlu06vu
19CHkLpI13fZ6IYUNNfZtJpzx3gY1k9xlYJ4m8iF34SltLbY2ve30qHLFPI9ufp4
tz/OpXoIYPy9z/0v5+QNRASPa0N+e2T5qqlVqgDBlxhDhRBE14Y4SSPSns7leAht
p8DKJEj95LFAh5jNiHiVuUdSsMa3G5kCRVnidjVspgeMqQeUDAGOQ71hVojkmoY0
yPcpFwQhLWJ6l0ZpKfnHNAjoKuBjzS+G7Ej8hu4KrnF57yNTjrQkyTY0Z9qNx9AV
UwSM/j5UP/w35ihPD8taZvHYpRF/Nwb6c/bD4qN4JEQSuxddlAQDtzkVSPqujBZB
ivh8IyYr8qaIuoBbDcg7/LlGGsdJfU1xEBmwLKmS1ygueYR18jk=
=KL76
-----END PGP SIGNATURE-----

To verify our canary you need to do the following

  • Receive the key into GPG: gpg --keyserver keys.openpgp.org --recv-key 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
  • Confirm that the fingerprint matches, the output should be 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF: gpg --fingerprint 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
  • Verify the signature: gpg --auto-key-retrieve --verify canary.txt

There is no guarantee that this website hasn’t been tampered with, so the above key should not be automatically trusted. For better assurance that our key is correct you can come in to our store and we have a printed copy of our fingerprint posted on top of the store desk.