0 - 2014 - eQualitie

Home / 2014

(n+1)sec = privacy on the Net

By: dmitri On: December 09, 2014 Uncategorized Comments Disabled

In advance of this year’s Human Rights Day, eQualit.ie is proud to release the first public draft of a provably secure protocol for group messaging on the Internet.

The protocol provides for end-to-end security of synchronous communications between any number of people. It is efficient and builds on recent advancements in cryptographic research. Security properties of (n+1)sec include:

Confidentiality: the conversation is not readable to an outsider
Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
Deniable authentication: Nobody can prove your participation in a chat
Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
Room consistency: Group chat participants are confident that they are in the same room
Transcript consistency: Group chat participants are confident that they are seeing the same sequence of messages

The protocol is being implemented as a FLOSS libpurple plugin and will find its first home in crypto.cat. We anticipate wide adoption in other instant messaging platforms. Contact us, join the conversation or check out the code on Github.

Take me to (n+1)sec

Moving Your Site to HTTPS

By: dmitri On: November 26, 2014 Help, Security, Blog, Hosting Comments Disabled

HTTPS (adding an S for “secure” to HTTP) is an internet communication protocol that protects your users’ connections to your website. Data sent using HTTPS is secured in that HTTPS provides 3 layers of protection:

Encryption: while the user is browsing a website, nobody can see their conversations, track their activities in the website, or steal their information.
Integrity: data cannot be tampered with as it travels from your website to the user’s computer and vice versa.
Authentication: ensuring that your users are really communicating with your website. This layer of protection prevents man-in-the-middle attacks and stops attempts at attracting your users to connect to a fake site or to download falsified files.

While the purpose of enhancing security is certainly a very good reason to move your website to HTTPS, consider that this could also slightly improve your website’s ranking.

TL;DR – How to activate HTTPS on eQPress

If you already have generated an HTTPS certificate for your website, you can install it via the Deflect dashboard. By following the procedure to install your TLS certificate, your website will be accessible on HTTPS.

If you don’t have an HTTPS certificate yet, you can contact us through the Deflect dashboard or send us an email and we will generate it for you.

Keys and Certificates

For TLS (formerly SSL) to work, you need a private key and a public key. After the public key is signed by a certificate authority, your public key becomes your certificate. The private key and the certificate need to live on the server that your website is hosted on, so the web server software that sends your web pages to your visitors can also create the secure (TLS) connection to the browser to secure the link. If you know how, you are free to generate your keys and then send them to us through the Deflect dashboard. Otherwise, we are happy to generate the key pair for you.

Certificate Authority

To generate a free certificate signed by a certificate authority, the easiest way is to use Let’s Encrypt, a free, automated, and open certification authority run for the public’s benefit.

If you prefer to have your HTTPS certificate signed by a different certification authority, here’s a short list of services that will sign it for you:

RapidSSL
NameCheap

Analytics and Tracking

If you use analytics tools like Google Analytics, you will want to update the URL that you are tracking from HTTP to HTTPS. Make sure you do this both in analytics and Google Webmaster Tools.

Recommendations for Improving Your WordPress SEO

By: dmitri On: November 14, 2014 Hosting, Help, General Comments Disabled

When it comes to search engine optimization (SEO), choosing the right WordPress theme framework becomes critical. Genesis does a great job of doing all the right things for search engine optimization (SEO). You will want to add some kind of analytics tracking to your site so you can gain insight about who is visiting your site and how your site is being used. Typically most people use Google Analytics, but if you are considering to use it in your website, please consider that eQPress Console already shows you some statistics and that Google Analytics, as well as other tools for website statistics, track users and can violate your readers’ privacy. If you decide to use one of these tools, Genesis provides a field on the Theme Settings page (wp_footer) to enter your analytics tracking code.

There are other great theme frameworks that are just as effective as Genesis, but if you choose not to use a framework or prefer to build your own theme, then you should use a plugin such as wordpress-seo by Yoast and use that to further optimize your pages and posts for SEO. The plugin has a ton of options which can be a bit overwhelming, but typically the defaults are fine. The plugin will also analyse your pages and give you recommendations on how to improve your content, title and other aspects of the page to make it better for SEO. There are lots of tutorials on using the plugin and of course the author of the plugin is a great source for learning about SEO: https://yoast.com

A couple more recommendations: in addition to a Google Analytics account for your site, you should also create a Google Webmaster Tools account and link it to your analytics account. And the other thing is to create a sitemap.xml file. The search engine crawlers look for that to more accurately index your site. The wordpress-seo plugin will create one for you, but there are simpler plugins to get this task done such as google-sitemap-plugin.

Choosing a Canonical Website Address

By: dmitri On: October 07, 2014 Help, General, Blog, Hosting Comments Disabled

Canoni-what?

Canonical is the word used to describe the one address that you want the world to go to when they look you up. The typical choices are whether to use www in front of your domain or not. The classic example follows:

http://www.example.com/

http://example.com/

Choosing what your canonical website address (URL) will be is totally up to you. It’s a preference and there’s no right answer. As you can see by looking up at your browser’s location bar now, eQualit.ie has chosen a URL without www. If you start taking notice of the other websites you visit, you’ll probably see that there’s no regular pattern. Google chooses www. The wordpress.org team chooses non-www. It really doesn’t matter. What does matter is making that choice early and sticking with it.

Considering the Apex

One unique factor (with respect to hosting on) in your decision-making process is whether or not your domain will be hosted by a DNS company that supports pointing the non-www (officially called the apex record) address to a CNAME. If your DNS host does not support this feature, we recommend you choose www to be your canonical website address.

References

Here’s an article at Google Webmaster Tools called Use Canonical URLs that will help you to learn more about their view of canonical URLs.

Also, Matt Cutts provides some very helpful insight and a FAQ about SEO and URL canonicalization.

Standing strong in August

By: dmitri On: September 16, 2014 DDoS Comments Disabled

Ongoing conflicts in Ukraine and the Middle East saw a stream of independent media and human rights organizations turn to Deflect for DDoS protection. The network delivered over 75 million pages to legitimate readers in August, our highest numbers to date. One week in particular stood out as we brought on-board two websites in the midst of ongoing DDoS attacks against them.

One of the sites was getting hit by a botnet built on a newer version of the Dirt Jumper malware. We had previously trained our edges to recognize and protect against Dirt Jumper bots but this network displayed different behaviour to which we had to adapt. Their attacks did not bypass our caching network.

The other site came on board in the midst of a sophisticated and prolonged attack using various methods to bring them down. One notable vector of attack was using a Pingback DDoS from infected hosts running WordPress software. This is a type of reflection attack exploiting WordPress code built-in to the core package to improve a website’s SEO rankings. Furthermore, attackers were using their entire 14,000 hosts network in concert and hitting the target from each bot once or twice at a time. This is unusual behaviour as botnets usually try to overwhelm the website by hitting it often and hard (thereby giving away their malicious intention). In this particular case, the botnet was tailored to attack targets behind a caching infrastructure such as ours. Initial pattern recognition was difficult for the IPs in question. The sysops team quickly caught up though and isolated all hosts from accessing the network. Herein an example of a log entry from this attack.

SOURCE_IP – [DATE_AND_TIME] “GET /PAGE HTTP/1.0” http SITE_DOMAIN 200 158580 “WordPress/3.9.2; http://ATTACKERWORDPRESS; verifying pingback from PINGBACKURL” TCP_MISS text/html ORIGIN_SERVER 5621

Readers running websites on WordPress software are advised to install the Disable XML-RPC Pingback plugin to prevent their instance being abused by this attack.

Traffic report from a single edge on August 8th, in gigabytes

Due to the nature of our infrastructure we do not see lower network level DDoS traffic – relying on numerous providers around the world hosting our caching servers to absorb them. This makes it difficult for us to judge precisely the size of an attack. In such cases we rely on our providers’ statistics and emails warning us about huge traffic loads. Between August 7-8 simultaneous attacks against Deflect clients generated traffic levels somewhere in-between 8 to 10 Gbps.

Both websites were initially protected by Cloudflare. One organization was even paying the 200USD per month account fee promising advanced DDoS mitigation. Deflect’s mandate is to protect and enable online voices for qualifying independent media and human rights organizations and operate on a strict policy to never deny or terminate a service simply for being the target of a large attack.

We do not usually disclose our clients to the public. This time we sought their permission, as we believe our service and principles are exemplified by standing up for an organization that defends the human rights of all, even when it is against popular opinion in their own country. B’Tselem, the Israeli Information Center for Human Rights in the Occupied Territories, monitors and documents human rights abuses, conducts research into human rights issues, promotes accountability for human rights abuses and media, advocacy and public education.

As an organization dedicated to safeguarding human rights in the occupied West Bank and Gaza Strip, we have faced many attempts to silence our voice. During the latest fighting in the Gaza Strip, attempts by opponents of free speech escalated, including stepped-up DDoS attacks which our previous hosting providers failed to repel. Deflect proved itself extremely helpful in protecting our website, and has allowed us to carry on with getting our information out to the public here in Israel, Palestine, and abroad.
– Hagai El Ad, Executive Director, B’Tselem

B’Tselem is a winner of the 2014 Stockholm Human Rights Award and nominee for this year’s Václav Havel Human Rights Prize.

Secure Hosting Guide available now

By: dmitri On: June 23, 2014 Uncategorized Comments Disabled

We are pleased to announce the launch of our Secure Hosting Guide, available now on learn.equalit.ie. The guide has been produced in collaboration with our friends at Huridocs and will be useful for anyone who wants to know the key factors involved when looking for a good hosting provider. It has been written for users of all technical abilities and budgetary constraints and is tailored specifically to focus on the issues that matter most to our partners: Concerns over data security, server reliability and technical support are priorities when you are running a website that attracts the attention of hackers, botnets, social engineers and the local surveillance services.

In addition to hosting, the document has sections on choosing a name registrar, dealing with threat mitigation and the considerations regarding legal and contractual issues. This is an evolving document in a fast-changing field, so we welcome feedback and contributions from users and other knowledgeable parties.

Finally, there is a set of reviews for the ISPs that eQualitie uses with Deflect. We invite you to add to this list of trustworthy (and not so trustworthy) hosting providers.

DDoS mitigation on a network of principles and openness

By: dmitri On: June 12, 2014 Inspiration, DDoS, Advocacy Comments Disabled

Yesterday saw the public launch of Project Galileo, a CloudFlare initiative that partners with reputable international advocacy and civil society organizations to offer free DDoS mitigation services to human rights and independent media groups. As with our support for Google’s Project Shield last year, we welcome all attempts to bring DDoS mitigation to a wider audience of at-risk users around the world and would like to take this opportunity to encourage serious consideration of the ethical and operational standards as followed by eQualitie and our peers. There are both moral and technical obligations that we feel bound by in this industry, from combating hate speech to respecting our client’s privacy.

To this end, eQualit.ie is today putting forward a set of principles which we hope will receive the support of commercial and non-profit providers alike, as well as any partner organizations endorsing these services. Websites signing on for Internet hosting and content distribution services should have a sound understanding of how their providers operate and what motivates each of us to do this work. We strongly agree with CloudFlare’s stated aims:

…to build a better Internet. Fundamental to that is ensuring that bullies cannot use attacks to censor content simply because they disagree with it. We knew we needed to do something to stop this troubling trend.

However, we would add that to engage in activism you have to take a stand and you have to pick sides. By standing firmly against censorship, we cannot also protect groups which would misuse our network for political censorship or as a launchpad for the very same attacks we are trying to stop. Equally, we cannot accept websites which propagate hate speech and advocate for the disenfranchisement or even outright destruction of their adversaries. Such malicious actors are welcome to find a solution elsewhere but it is not accepted practice within our corner of the digital security field to defend rights defenders and rights deniers at the same time. There is no way for us to reconcile protecting both an LGBT site and an anti-LGBT site on our network without, at the very least, disrespecting the values of the former and enabling the latter.

For this reason we ask every organization entering this field to consider the harm done in protecting all sides which operate within a given conflict. To make no choice at all about who your customers are serves only to perpetuate each conflict, breed mistrust among activists and journalists involved and undermine our common aims.

That CloudFlare has chosen to join the fight against censorship-by-DDoS is a huge benefit to groups on the frontline who struggle every day to keep their voices heard. We see our partners face enormous financial, legal, political and personal risks by speaking out for what they believe is right and we understand it is our shared responsibility as protectors of their websites to perform our small part in their work without any ambiguity of operation and purpose.

Signed

The Deflect team

To the campaign!

Take Back The Net!

By: dmitri On: June 02, 2014 Digital Security, Advocacy Comments Disabled

This week eQualitie will be attending Take Back The Net, a two-day conference in which “human rights advocates and transformative technology providers will meet to discuss what civil society organisations and individuals can do to restore trust in communication infrastructure”. We are attending as guests of the Association of Progressive Communications, organisers of the conference and we are grateful to them for this opportunity to speak directly with many at-risk activists and to understand these vital issues from frontline perspectives.

Training in the Ukraine

By: dmitri On: June 02, 2014 Digital Security, Ukraine Comments Disabled

eQualit.ie undertook two missions during the last month to work with independent media workers and aspiring digital security trainers from across the Ukraine. Over one hundred news media workers were trained in secure communications and a very capable group of future trainers were taken through the advanced training so that this valuable knowledge can continue to spread. We are grateful to the organisers for bringing us on board and to all the participants for their attendance. If your organisation is interested in digital security training, please get in contact with us at the address below

Sweden gets eQualitie

By: dmitri On: June 02, 2014 Advocacy Comments Disabled

Last week eQualitie attended the Stockholm Internet Forum 2014, an annual gathering of multi-stakeholders from internet governance, global civil society, freedom of expression networks, independent media and even some progressive-minded government types. We spent three days meeting with activists, journalists and policy makers to listen to their concerns and discuss the best ways forward for the Internet Freedom movement. We championed open source principles and distributed solutions as the best way to engage and mutually benefit users from across the spectrum in the fight against censorship, surveillance and exclusion on the Net. Our gratitude goes out to the organisers for the invitation and particularly to our friends at Civil Rights Defenders for introducing us. Skol!

Feeling Insecure? Try some Digital Self-Help

By: dmitri On: May 29, 2014 Uncategorized Comments Disabled

We’re launching a free guide for teaching yourself Digital Security which can be accessed right here.

Over the last 8 years, eQualitie has been leading Digital Security trainings in dozens of countries for hundreds of activists and journalists, as well building two Digital Security schools and training many others to become trainers themselves. Every year we’ve seen the demand for trainings increase and while we are always interested in working with whomever requires our services, (please contact us if you’d like to talk about that), we understand that there are many more groups across the world we cannot easily get to for a variety of reasons, such as lack of funds, travel restrictions or scheduling conflicts. So we want to help anyone who would like to learn these skills and tools and has the motivation to teach themselves.

This is the latest in a series of guides we have made freely available, following on from the Digital Security Manual and Trainer’s Curricula. Next up, we’re putting together a guide on secure website hosting.

Mid-May in Tunisia

By: dmitri On: May 24, 2014 Digital Security Comments Disabled

We are in Tunis this week leading a series of “training of trainers” sessions at DSS 216 , the Digital Security School set up by eQualitie in conjunction with our friends at Alternatives, the long-established Montreal NGO. The school is staffed by co-ordinators from across the Middle East and North Africa and operates in Arabic and French. It has been created as a permanent hub for digital security trainers to share cybersecurity tools and best practices with activists and journalists from the Maghreb region and beyond, with a particular focus on Women, Youth, Citizen Journalists and legal practitioners from Iraq, the Palestinian Territories, Tunisia, Sudan and Syria. You can read the press release here (en francais)

This is the second in a series of digital security schools which eQualitie are creating across the world. Our first one was started in Vilnius, Lithuania three years ago and in that time has trained hundreds of activists, journalists and trainers from Belarus. Please get in touch if you’re from that region and interested in trainings. Stay tuned for announcements on school number 3 later in the year

Q1 2014 Traffic Report: DDoStoyevsky’s Crimean Punishment

By: dmitri On: May 02, 2014 Technology, DDoS Comments Disabled

In the last 12 months we have seen steady growth in many aspects of the Deflect project, particularly with respect to membership, traffic, localisation and network capacity. The most significant contributing factors have been the uptake of more partners, the efficacy of our new banning software and the continued rise in DDoS attacks as a form of censorship.

To this end, we have more than doubled the number of our partners, so Deflected sites now operate in 17 languages and focus on affairs in 55 countries across the world. In addition, we have taken on more sites that report news or advocate for issues from a transnational perspective, resulting in a more even distribution of traffic from around the world.

A comparison between the first quarters of 2013 and 2014 shows this clearly.

We see that unique visitors have nearly tripled, the number of visits has more than doubled, page requests have all multiplied, hits are between four and five times as many and we are dealing with at least twice the amount of bandwidth as this time last year. The figures continue to grow as we move into March and April because of the current Ukraine situation. In the wake of the Euromaidan protests, the fall of the Yanukovich government and the annexation of the Crimea, we brought onto the network a number of key independent news sites operating in the region that have brought with them a large amount of traffic and a comparable amount of DDoS attacks.

The figures above are only for the legitimate traffic served. With respect to malicious requests, we saw an average of around 8MBps across the network for the month and when we first took on the Ukranian sites in March we saw spikes of 200 bots per edge.

DBP: Our Philosophy

By: dmitri On: May 02, 2014 Technology Comments Disabled

The Deflect team has spent the last two years mitigating DDoS attacks against independent media and human rights websites. We’ve learnt a thing or two along the way and have put a lot of effort into developing open source software to make our lives (and weekends) a bit easier. The BotnetDBP project consists of four components to detect and ban malicious bots.

Banjax: responsible for early stage filtering, challenging and banning of bots, identified via regular expression matching

Learn2Ban: introduces intelligent, adaptive features to botnet detection and banning by using a machine-learning approach.

Botbanger: uses the support vector machine model constructed by Learn2Ban to test HTTP traffic and determine the legitimacy of the requester.

Swabber: is responsible for managing the actual banning of IP addresses identified by either Banjax or Learn2ban

GitHub repo

Notably, current Learn2Ban accuracy has been determined at 90% and above (i.e. both false positives and true negatives amounted to less than 10%). In several cases, accuracy of 99% was achieved. We continue to develop models based on larger attacks the network receives

We rely on our community of peers and invite you to take a look at the code. Your commentary and analysis are essential to seeing this open source initiative mature and become of relevance to anyone running a web server. For reference, all components are built modularly and can be adapted to any web service environment, albeit Banjax was written as an Apache Traffic Server plugin.

Changing Your Database Password

By: dmitri On: April 09, 2014 Help, Security, Hosting Comments Disabled

We are serious about our passwords here at Deflect. You might have noticed our 23 random character passwords for your WordPress admin user we generated during the installation of your site. That’s the kind of password that will keep your site safe from brute force and dictionary attacks. The random.org site provides some tools for generating super long passwords.

So why would you ever want to change your database password? Typically you won’t ever need to because we set it initially during installation to another unique 23 random character string. But there might be a good reason to change it. The one that comes to mind is Heartbleed. So, here we go…

Changing Your Database Password

Warning: Changing your database password can disable your site. Make sure you know what you are doing or send us an email if you need help

Log into adminer. For example, if your site is example.com then go to https://example.com/adminer/.
You can get your DB username and current DB password by SFTP’ing to your site and looking in your wp-config.php file which is located in the wordpress directory.
Click on the “Privileges” link.
Click on the “Edit” link beside “localhost”.
Make sure the “Hashed” checkbox is unchecked.
Use KeePassX or random.org to generate a long random password. Copy it and paste it into the Password field, then scroll to the bottom and click the Save button while simultaneously…
Pasting the password you just set in adminer into your wp-config.php file on the line with define(‘DB_PASSWORD’, ‘password’); by replacing “password” with the new password.

First Steps with Your eQPress Site

By: dmitri On: March 14, 2014 Help, General, Hosting Comments Disabled

Your shiny new eQPress site is ready to go! Now what? Here are some recommendations.

Enable “pretty” permalinks under “Settings” -> “Permalinks”.
Typically “Post name” is a good option, but you can choose whichever setting you prefer other than “Plain”. The reason for doing this is two-fold: on the one hand, your URLs just look nicer, on the other hand this could also increase your performance because this type of URL has better chances of getting cached.
Next install a plugin to protect your website against comment spam. Anti-spam is easy to use, needs no configuration and just works.

Now that you’ve made some initial steps, you can take some time to read the official guide: First Steps with WordPress

The Best Options for Email Subscriptions with WordPress

By: dmitri On: February 03, 2014 Help, Plugins, Hosting Comments Disabled

The best option is to use MailChimp to manage your subscriber lists and also to send the emails. There are plugins that can integrate with your MailChimp account but even that is unnecessary if all you want is to add email addresses and then send emails when you write a new blog post. The way it works is MailChimp will check your RSS feed every day for new posts and when one is found it will automatically send it to everyone on your list.

MailChimp is very powerful and easy to use. Here are some articles that will help you get started.

The next best option is to use the Subscription feature that’s part of the JetPack plugin. You will need a WordPress.com account to use it but it’s very easy to sign up for one. The plugin will guide you through the process. Click this lovely link to read more about JetPack Subscriptions