0 - 2015 - eQualitie

Home / 2015

np1sec challenge

By: dmitri On: November 25, 2015 Uncategorized Comments Disabled

The challenge involve partially implementing some of our XMPP test client event handlers for namely join, receive and send. The result will be a client that people can use to join and chat securely. Note that the purpose of the challenge is for the EQ team to get to know the candidates and be comfortable with their C++ competence before commencing our interview process. Please reach out if you get stuck somewhere – this is not considered against you.

Step 1: Get the code and get it compiled:

You need our fork of libgrypt for it:

https://github.com/equalitie/libgcrypt

Then you need to get the code

https://github.com/equalitie/np1sec

and follow the README. Finally test with the mock client:

./libnp1sec_test

If you link to original libgcrypt you’ll get some kind of grypt related
error.

Step 2: Run the xmpp test client. It is implemented in

https://github.com/equalitie/np1sec/blob/master/test/xmpp_test.cpp

Look at the example at:
https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L54

and

https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L127

Notes that in case of mock client join and receive handler both are being handled by chat_mocker_np1sec_plugin_receive_handler but it happens in different function in case of libpurple.

Step 4: Implement the call backs:

You need to give some call backs to np1sec library. You can find the
association in case of chat mocker here:

https://github.com/equalitie/np1sec/blob/master/test/session_test.cc#L62

mockops->send_bare = send_bare;
mockops->join = new_session_announce;
mockops->leave = new_session_announce;
mockops->display_message = display_message;
mockops->set_timer = set_timer;
mockops->axe_timer = axe_timer;
They are implemented here:

https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L135

You only need to implement send_bare and send a do nothing functions for set_timer/axe_timer.

Step 5: Test your client:

Follow the lines in

https://github.com/equalitie/np1sec/blob/master/test/session_test.cc#L189

to initiate the np1sec UserState and see if you can join and talk to yourself.

Be the (Web) Master of your own (Secret) Domain

By: dmitri On: October 20, 2015 Uncategorized Comments Disabled

We are very pleased to announce that all websites signing up for DDoS protection with Deflect will now receive an authenticated password giving them easy access to their admin panel without having to reconfigure settings on their host server.

In the past, our practice has always been to set up a special secret login address which we would send to each site (known as a nocache address) and webmasters would then have to configure their servers to respond accordingly whenever they needed to access their admin page (as detailed in Step 5 of the Walkthrough on our wiki)

We did this to avoid any problems with the admin panel itself being cached. In such circumstances, any changes in content made to the website would be subject to the caching process rather than take effect immediately, thus affecting the user experience.

The problem has been solved by tweaking our detection software to distinguish between legitimate users and attackers – just as it does with traffic to the public website – by checking that the authenticated password and authenticated cookie match up whenever a request is made to log in. If everything does match up, the user gets access to the admin panel and any changes made take effect immediately rather than being affected by the caching procedure. Unauthenticated users will be blocked.

We are in the process of offering current Deflect users the opportunity to switch to the authenticated password system.

In the previous procedure, hiding the URL added an extra layer of security for the site since it made it much more difficult for hackers to guess the address (…/admin , /login etc) and brute force their way in using password-cracking software. Of course it is good practice to keep a secret URL address to increase security by one more layer, so we will always provide the option for new users to change their admin URL from the default address to a secret one.

Today’s announcement marks another stage in our goal to simplify every step of the Deflect signup procedure. Below is a preview of the new Dashboard, the first thing you will see after signing up and receiving your login details. Notice the magnificently reduced steps involved in becoming a full Deflectee.

Coming very soon!

Creating a Hosts File Entry

By: dmitri On: September 30, 2015 FAQ, General, Hosting, Help Comments Disabled

If you wish to access your domain before your DNS has been updated, you can update your local ‘hosts file’, which will allow your computer to view your new site. Follow the appropriate instructions below.

Please note that this will work only with HTTPS and not with HTTP.

If you need any help with this procedure (for example because nslookup is not installed in your system and you can’t figure out what the IP of your SFTP server is), we are ready to help: please contact us through the Dashboard or send us an email.

OS X:

Open Terminal
Launch the following command (replacing SFTP_host with the address of your SFTP host you received in your activation email):
$ nslookup SFTP_host
The result will be something like the following output. The last line contains the IP address of your SFTP host, which you will need to add to your hosts file (numbers arranged in this form: XX.XX.XX.XX).
Server:        YY.ZZ.XX.ZZ
Address:    YY.ZZ.XX.ZZ#53

Non-authoritative answer:
Name:    grwtrcweg.deflect.ca
Address: XX.XX.XX.XX
Type ‘sudo nano /private/etc/hosts’
Press Ctrl+Shift+V to take you to the end of the file
Enter the text ‘XX.XX.XX.XX <yourdomain>’ (replacing `XX.XX.XX.XX` with the actual IP of your SFTP host and <yourdomain> with the URL of your website).
Press Ctrl+x to exit
Press y to save

Alternatively you can download the Hosts preference pane helper from here: https://github.com/specialunderwear/Hosts.prefpane/downloads

Windows:

Launch the Command Prompt and enter:
C:\>nslookup example.com

whereby you need to replace example.com with your SFTP host address.
The result will contain the IP address of your SFTP host, which you will need to add to your hosts file (numbers arranged in this form: XX.XX.XX.XX).
Address: XX.XX.XX.XX
Click “Start” button
Click “All Programs”
Click “Accessories”
Right-click on Notepad and then click Run as administrator.
If you are prompted for an administrator password or for a confirmation, type your password, or click Allow/Yes.
Open the Hosts file. Discover the location for your version of windows here (https://en.wikipedia.org/wiki/Hosts_(file)#Location_in_the_file_system)
Enter the text ‘XX.XX.XX.XX <yourdomain>’ (replacing `XX.XX.XX.XX` with the actual IP of your SFTP host and <yourdomain> with the URL of your website).
Click Save on the Edit menu. (If using Windows 7, you will need to click Save on the File menu.)

Linux:

Open a terminal.
Launch the following command (replacing SFTP_host with the address of your SFTP host you received in your activation email):
$ nslookup SFTP_host
The result will be something like the following output. The last line contains the IP address of your SFTP host, which you will need to add to your hosts file (numbers arranged in this form: XX.XX.XX.XX).
Server:        YY.ZZ.XX.ZZ
Address:    YY.ZZ.XX.ZZ#53

Non-authoritative answer:
Name:    grwtrcweg.deflect.ca
Address: XX.XX.XX.XX
Open the file /etc/hosts with vim or your favourite editor as root:
$ sudo vim /etc/hosts
Add the following line, replacing `XX.XX.XX.XX` with the IP address of your SFTP host, `example.com` with the URL of your website and `example` with the name of your website:
XX.XX.XX.XX example.com example
Ensure that the nsswitch.conf file is correct. The nsswitch.conf file controls in which order services will be consulted for name service lookups, in our case we are looking for the “hosts” service:
$ grep host /etc/nsswitch.conf hosts: files dns

Check that “files” comes before “dns”. If it doesn’t, edit the file to obtain the above result.
Check that your changes produced the wanted effect with this command:
$ ping -c 1 example.com

The result should be something like this (with XX.XX.XX.XX being replaced by the IP of your SFTP host):

PING example.com (XX.XX.XX.XX) 56(84) bytes of data.

Project Motivator and Magical Manager

By: dmitri On: July 22, 2015 Jobs Comments Disabled

Job Location: Montreal-Quebec-Canada (flexible)

Job Type: Full-Time

Salary Range: senior level, based on experience

Posting Date: 23-July-2015

Deadline for Applications: 15-August-2015

eQualit.ie is seeking an enthusiastic person to fill the shoes of a project manager at our small (but growing) organisation. This is a relatively fast-paced environment with a strong sense of individual contribution and close-knit project teams. We expect individuals to grow into their roles but also to make it their own. We are open to different approaches and perspectives.

We’d like you to have:

Experience with open source projects – the beauty and the pain of collaboration – and a few examples of projects delivered
A strong sense of empathy and sound professional judgement
A solid track record of coordinating, facilitating or straight up managing team-based projects
A background in a technical subject or in-depth experience in a variety of software projects
A shared spirit of working in a not-for-profit team that is driven by defending and promoting human rights in the digital domain
Willingness and ability to work remotely and travel

Extra points if you have:

Several years experience as a team lead / project coordinator
Exposure to working in a non-profit environment and partnering with NGOs and civil society
A keen interest in developing solutions that protect people from indiscriminate Internet surveillance and censorship
Some background in digital opsec or crypto or education
Surprise skills that would be useful in this multi-faceted role

About us

Our projects span DDoS mitigation, machine learning, encryption protocols, data management and analytic, education and awareness raising. We want you to be motivated by working towards positive social change through technology, comfortable within a diverse group of people from various backgrounds and skill sets, and be able to balance the needs and realities of the organisation with our stakeholders – primarily independent media and human rights organisations the world over.

Please send your resume and a cover letter explaining how your portfolio and motivation match our requirements below

Migrating Your WordPress Site to Us

By: dmitri On: June 24, 2015 Help, Migration, Hosting Comments Disabled

If you already have a working WordPress site that you wish to move to eQPress, the first thing you need to do is sign up with Deflect and specify that you would like to move your existing website to eQPress, providing us with the first and last name of your admin (they don’t have to be the official ones!). It would be also helpful to know if your WordPress instance contains a single website or is a multi-site with subdomains (http://sub.example.com) or subdirectories (http://example.com/sub).

This post contains information for migrating your website to eQPress. If you need any help, don’t hesitate to ask for our support.

What we need:

A database dump of your existing WordPress site. You may need to request this from your existing hosting provider if you do not have the facilities to make a database dump yourself, or you can follow these instructions.
The complete backup of your existing WordPress site files, which you can easily obtain by following this guide.

If you want, you can use a plugin to obtain your database dump and website backup. There are many such plugins for WordPress, and you can pick the one you prefer from this list.

How to Flush Your Local DNS Resolver’s Cache

By: dmitri On: March 19, 2015 Help, General, Hosting Comments Disabled

If your computer cannot reach a certain website this could be because your local DNS resolver’s cache contains an outdated record. For example, you updated your DNS records to point to eQPress but instead you are seeing your old website. This is when flushing your DNS cache will speed things up.

Mac (OS X)

In the Command Terminal, type one of these commands:

sudo killall -HUP mDNSResponder sudo discoveryutil udnsflushcaches
sudo dscacheutil -flushcache
sudo lookupd -flushcache

Windows

Run the following command in a Command Prompt window:

ipconfig /flushdns

Deflect – 2014 in numbers

By: dmitri On: January 29, 2015 DDoS Comments Disabled

The Deflect projects protects human rights and independent media websites from distributed denial of service (DDoS) attacks. It is a free service for qualifying organisations and the source code is publicly available on the project wiki. In our third year of operations we protected websites from over 60 countries and present herein some interesting facts and figures from 2014.

2014 AVERAGES

MONTHLY VISITORS (UNIQUE): 3.14 MILLION

PAGES SERVED (DAILY): 1.44 MILLION

DAILY TRAFFIC (MB): 193374.54

2014 ATTACKS

DDOS ATTACKS MITIGATED: 100%

HIGHEST TRAFFIC LEVEL*: ~50GBPS

LARGEST BOTNET: ~15000 MEMBERS

* These measurements do not include UDP layer attacks, which are known to generate the biggest traffic levels

The Deflect network is attacked all the time by various botnets. These attacks can often be measured by a spike in bandwidth, connections to our servers and number of banned IPs. The following diagram represents network bandwidth in 2014.

And now the same diagram but zoomed out so as to capture traffic levels generated by large DDoS attacks against Deflect protected websites.

We have developed various botnet identification and banning toolkits. They are publicly available from the project wiki. The following diagram displays malicious bot IPs we identified and banned in 2014. Note that this diagram would not line up with the generated traffic levels since banned IPs cannot request data from the network.