IFF Showcase 2016

During the Internet Freedom Festival in Valencia, eQualit.ie hosted a tool showcase on Thursday 3rd March. 15 awesome tools were presented, and the audience voted for their favourite projects for three different categories – “You did whaaaat?”, “Wish I’d thought of that!”, and “You get a biscuit”.

We are now proud to announce the winners, with a list of the other projects that got the best scores:

You did whaaaat?

1. NetAidKit
2. StingWatch
3. Peerio / uProxy (joint winners)

Wish I’d thought of that!

1. OnionShare (in tie with NetAidKit)
2. SecurePost
3. StoryMaker

You get a biscuit

1. Qubes OS
2. Code of Conduct Builder / OnionShare / Peerio (joint winners)
3. Psiphon / NetAidKit / StoryMaker (joint winners)

First created in 1996, CGIProxy is a clientless web proxy that supports Javascript and Flash, enabling access even to the most complex websites, and can be used to anonymize connections and circumvent censorship. Over the years, CGIProxy has been downloaded over 2 million times and has been a model for several other similar web proxies.

Actively maintained and developed, CGIProxy is installed in numerous servers, allowing for a decentralization that makes these web proxies harder to block and, if the server is hardened, to detect. Users just need to access the proxy interface of a trusted server through a common web browser and to enter the URL of the website they want to visit in the form. Without having to install anything in their computers, anyone can thus securely and anonymously access any restricted website.

SecurePost is an Android App that allows a group to share a Twitter account or Facebook page without sharing the account password. Every post published through SecurePost is cryptographically signed and can thus be verified through the app itself or with a Chrome plugin, that will clearly show if the post has been published by a legitimate member of the group. On the other hand, SecurePost also ensures plausible deniability for each member of the group, so that while readers can be sure that a post has been published by the group that owns that specific account, no member of the group can be held accountable for any content.

Integrating libraries by The Guardian Project, SecurePost encrypts by default all content while the app is at rest and offers emergency features based on the Guardian Project’s Panic Kit, like wiping of the app content and triggering other Panic Kit apps if someone enters a special “wipe password” at the app’s password prompt. Furthermore, if the account is compromised, its creator can reset it, thus excluding any malicious group member and warning readers about the incident by turning all posts to an  unverified state.

SecurePost has been developed in view of real users’ needs: its creators have travelled to Zambia, Turkey and Mongolia, interviewing activists and journalists to assess what was needed to make their work more efficient and secure. By ensuring authenticity and plausible deniability, this tool offers groups and organizations the possibility of publishing on a shared account or page without having to share a password and at the same time prevents self-censorship among dissidents.

Usually, those who are most hurt by censorship, surveillance and a lack of Internet freedom are the most marginalised members of society; people who have been too often excluded from the world of tech, policy and other important areas which impact Internet freedom and human rights. To face this problem, many groups have taken inspiration from the women’s liberation movement of the 60s and 70s, creating Codes of Conduct as a set of shared behavioural guidelines to ensure that the physical or virtual space they’re acting in becomes a safe space.

The Code of Conduct builder has been created to help community leaders implement a Code of Conduct that is both customized and has the ability to support all members of that community. Thoroughness and an understanding of the issues is key to successful implementation of a Code of Conduct, however, and that is why each section in this web-based tool features a clear explanation of the reasons for inclusion, live preview of the customized text and tips for enforcement.

Currently, resources for building a Code of Conduct for online and offline spaces (such as conferences and repositories) take the form of blog posts and copyable policies. There are lots of details, opinions (sometimes lacking consensus) and supporting processes to consider when creating a Code of Conduct, and the task of a good implementation can be overwhelming.

Unfortunately, because of this, organizers decide to either not have a Code of Conduct, or to copy and paste an existing one without properly considering how to support it. Both are poor solutions that fail to support attendees and can give them a false sense of security. The Code of Conduct builder is the first tool of its kind that goes beyond a customized Code of Conduct by also aiming to educate users on the various aspects of a well-implemented and supported policy.

By making the process of implementing a Code of Conduct more efficient and considered, the Code of Conduct builder helps event organizers, repository maintainers and other leaders to create a more inclusive community. This inclusivity helps to bring a wider range of voices, backgrounds and skills to the fight against censorship and surveillance. The end result being that the solutions produced are better suited to protect not just the majority, but really everyone’s digital and human rights.

StoryMaker is an open source app helping anyone learn to make great multimedia stories and safely produce and publish them with their mobile device, in a privacy-preserving fashion that ensures they can share and publish their stories where they wish, despite the threat of censorship. The final release out of beta comes with the inclusion of a Catalog of new content packs. Content packs provide Lessons, Guides, and Templates for creating new stories. Once templates, guides, or lessons have been downloaded, the user may learn and make stories completely offline, as well as sharing stories via bluetooth or other means that don’t require the Internet. Users may publish their stories online to a variety of outlets, with built-in support for Tor. Currently users can publish over Tor to Facebook, YouTube, Flickr, Soundcloud, Archive.org and private SSH servers.

StoryMaker is brought to you by the StoryMaker Coalition. The StoryMaker Coalition is a collaboration between Small World News, Scal.io, The Guardian Project and Free Press Unlimited to develop and implement the StoryMaker application. The Coalition has trained more than 700 journalists, human rights defenders, and aid workers active in more than 20 countries. At the time of writing, the StoryMaker app has been downloaded by more than 140,000 users around the world, including journalists, civil society members, and activists.

StoryMaker’s libraries provide open source tools for others to add functionalities to publish content safely and securely to a variety of platforms, as well as distribute interactive learning content directly to individual users. StoryMaker enables citizens anywhere to tell their stories despite the threat of surveillance and censorship. The app puts the work of many developers and organizations on digital security into a specific and important context: amplifying the voices of marginalized communities by providing them the skills to tell their stories and the access to ensure they are heard. To underscore this point, Natasha Msonza from Zimbabwe, one of the many trainers using StoryMaker around the world, will join the speakers from the StoryMaker Coalition in the presentation.

uProxy is an open source browser extension for Chrome and Firefox that lets users share their route to the Internet with each other. uProxy has been made for people in two situations: those who need to get safe and unrestricted access to the Internet and those who have an unrestricted connection that they would like to share with their friends. With uProxy, those who have a restricted access to the Internet can get access to the same sites their friends with unrestricted connection have access to.

uProxy can make it much harder for a third party to monitor or interfere with the traffic of the user who is getting access to the Web thanks to the extension. It can be compared to a personalized VPN service that you can use to provide secure access to friends and family, and to yourself when you travel. But since VPNs generally rely on shared servers, they can often be identified and blocked, or they can slow down at peak times. Because uProxy users connect to each other, rather than to common servers, uProxy connections may be harder to identify, and the network scales naturally.

On the other hand, uProxy also has limitations: not only should the level of trust between users sharing a connection be very high to avoid the risk of being caught at accessing restricted resources in censored areas, but furthermore uProxy, being a browser extension, is only capable of handling web traffic in Chrome and Firefox and cannot secure other applications connected to the Internet. Nevertheless, for people dealing with nationwide censorship and state surveillance, uProxy can be a precious tool for accessing online resources.

OnionShare is a desktop application to share files anonymously and securely using the Tor network. It’s incredibly simple and uses the anonymity-protecting and firewall-slicing properties of hidden services. It supports a diversity of use cases such as sending a screenshot to a friend, or leaking classified documents to a journalist.

As long as both the sender and the receiver have access to the Tor network (which just requires installing and launching the Tor Browser), OnionShare is censorship and surveillance resistant. Third parties don’t have access to files being shared, network eavesdroppers can’t spy on files in transit, and the anonymity of sender and recipient are protected by Tor.

OnionShare was originally built by Micah Lee to solve the “David Miranda problem”: If you have super secrets files that you need to give to someone, it’s often safer to use the Internet than to physically carry a USB stick. OnionShare makes the using-the-internet option simple, user-friendly and convenient. Micah Lee himself says he uses it all the time for a variety of purposes at The Intercept.

CENO (Censorship.NO!) is an innovative approach to censorship circumvention, based on P2P storage networks, and in particular on Freenet. CENO maintains strong privacy and anonymity features as well as offering users plausible deniability in an emergency situation. CENO is built in advance of aggressive Internet filtering and the establishment of national intranets to fence off citizens from the wicked Web, so it’s a tool to access restricted information and resources when everything else fails.

The main purpose of CENO is to deliver content that otherwise would not be available because of Internet censorship. When CENO has been launched, users can anonymously request a web page that is inaccessible from their country by entering a normal URL in CENO’s customized browser profile. Their request will reach a so-called bridge node, a peer node that also acts as a CENO server, bridging the p2p network with the World Wide Web. The bridge node will then fetch the requested web page, bundle it and insert it in the distributed storage in the p2p network, where it can be eventually retrieved by the user. While the users wait for the requested page to be delivered, which can take some time, they can read the selection of news feeds that can be reached from the “CENO Portal”. These selected feeds are inserted by default in CENO and are updated on a daily basis.

At the moment CENO bridges are all managed by the CENO team, but users can set up their own bridge nodes, independently from CENO team’s Insertion Authority. No knowledge of the global network topology is required in order to retrieve bundles or send a message to a bridge, and no CENO node can know where the other nodes are located. Last but not least, CENO is a resilient solution to censorship circumvention: in cases of nationwide Internet throttling, content will remain available to the peers given that a copy of that bundle is cached in the in-country network of peers. Read more about CENO here.

An IMSI-catcher is a telephony eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially a “fake” mobile tower acting between the target mobile phone and the service provider’s real towers, it is considered a man-in-the-middle (MITM) attack. Wikipedia article

Employed, among others, by the US federal government and by state and local police departments across the USA, the Stingray is a mobile technology that simulates a cell phone tower and can intercept call and SMS text content, including the call histories of all mobile hand sets within range as well as their location.

Racial bias in police violence has sparked a heated discussion in the US in recent years and cell-cite sumulators, also known as Stingrays, have gained increased media and some public attention as recent reports indicate their frequent use in criminal investigations and at political demonstrations such as Black Lives Matter.

The tools required to discover and investigate the presence and location of theses Stingrays have so far been difficult to obtain and operate, most of them either closed source or requiring root access on your smart phone. The goal of StingWatch is to be a platform independent tool that anybody can use, with the purpose of enabling ordinary people to employ their phones in monitoring and then mapping the use of Stingrays in their vicinity.

StingWatch is a simple app for Android that will do a couple of things:

1. It will notify its users when Stingray use is detected, so that they can put their phones into airplane mode and avoid having their information collected.
2. It will send detection locations to a central server so that Stingray use can be mapped on a public website, eventually combining with Census data to examine the demographics of those being targeted.
3. By exposing use of this secret technology, Stingwatch will hopefully contribute to public pressure to limit its use.

Ultimately, StingWatch is a tool for policy change. Its main purpose is to prove that Stingray technology is often misused to disproportionately target certain minority groups and other civil groups. The developers hope this information will reinforce the larger debate around these devices and ultimately lead to their abolition.

Qubes OS is a free and open source security-oriented operating system that implements security by compartmentalization. Its architecture is built to enable a user to define different security environments on her computer and visually manage their interaction with each other. While the most common operating systems like Windows, Mac or Linux are “monolithic”, which means that if an attacker manages to hack into the system, they will have access to the whole machine, Qubes OS greatly reduces this risk by isolating every domain (or qube) from each other, so that if one qube is compromised, the others – and the system – will remain unaffected.

Each qube can run applications from Debian, Fedora, Whonix, and even Windows. The visual interface to separate domains makes it very easy to manage multiple identities online: each virtual persona, pseudonym or activity can get its own dedicated qube, and Qubes integrates the Tor network so that users can easily create one or more domains with all the software they need for anonymizing their communications and online activities. Simultaneous and non-interacting VPN, Tor, and other proxy connections to the web can be set up, and one can easily route applications through these networks even if they weren’t built for it, such as Pidgin, Chromium, etc.

Separating and isolating social domains can be particularly important for high-risk individuals who could be targeted with surveillance malware. In case the attacker manages to compromise the user’s browser or email client, e.g. through a vulnerable plug-in in a browser or a malicious email attachment, the malware will only be able to access that particular qube and will not affect the whole system – and deleting the affected qube and creating a new, clean one is very easy. With Qubes OS, the user can easily open attachments by default in non-networked disposable domains, so if the attachment contains malware, it is deleted as soon as the PDF or Word document is closed and had no ability to “phone home”. In a similar way, Qubes OS by default can protect the user from USB and wifi-based attacks by isolating the USB and wifi stacks.

Qubes OS was first launched in 2012 and has a growing base of over 9,000 users. While it still requires a rather powerful computer, the Qubes team is concentrating its efforts on increasing usability and outreach, and a training prototype addressed at human rights defenders and activists will be presented within the Training & Best Practices track at the Internet Freedom Festival on Friday 4th March at 6pm.

Psiphon is a free censorship circumvention tool. Its robust network is made of more than thousand active servers, which can provide you with quick access to any blocked content on the Internet. Psiphon is an open source tool that does not require installation and automatically selects the best performance settings. More than 15 million people around the world and the largest information agencies have put their trust in Psiphon.

Psiphon helps millions of netizens around the world to connect to blocked social media and censored websites. Hundreds of thousands used Psiphon in Turkey, Egypt and Iraq to learn about and protest against governmental policies curtailing human rights, including fostering censorship and surveillance. Psiphon also aids human rights organizations and independent media outlets whose websites are blocked in various censorship hotspots. Liberal-minded organizations from Iran, China, the Middle East, the CIS, Latin America and Asia use Psiphon to stay connected to their audiences, propagate ideas of free speech and help people join movements fighting against censorship and surveillance. Many of these organizations are the only independent voices in their regions, who thanks to circumvention technologies like Psiphon manage to survive censorship policies of authoritarian regimes and remain financially viable.

Psiphon was developed as an anti-censorship tool by the Citizen Lab (University of Toronto) back in 2006. Ten years later, it remains true to its original mission, namely, to empower netizens around the world to fight back against oppressive regimes that illegitimately censor information on the Internet.

FreedomBox is a personal server that protects your privacy. It is a free software stack, a subset of the Debian universal operating system, that can be installed in many flavors of inexpensive and power-efficient hardware. FreedomBox runs in a physical computer and can route your traffic. It can sit between various devices at home such as mobiles, laptops and TVs and the Internet replacing a home wireless router. By routing traffic, FreedomBox can remove tracking advertisements and malicious web bugs before they ever reach your devices. FreedomBox can cloak your location and protect your anonymity by “onion routing” your traffic over Tor. FreedomBox provides a VPN server that you can use while you are away from home to keep your traffic secret on untrusted public wireless networks and to securely access various devices at home. It can also be carried along with your laptop and used to connect to public networks at work, school, or office to avail its services. It could be used in a village to provide communications throughout the village. In future, FreedomBox intends to provide support for alternative ways of connecting to the Internet such as Mesh networks.

FreedomBox provides services: to your computers and mobile devices in your home and to computers and mobile devices of other people who are your friends. It provides file sharing like Dropbox, shared calendaring like Google or Yahoo and photo sharing. FreedomBox provides instant messaging and secure voice conference calling that works on low bandwidth providing high quality. FreedomBox has a blog and wiki to let you publish your content and collaborate with the rest of the world. Coming soon, a personal email server and federated social networking using GNU Social and Diaspora, providing privacy-respecting alternatives to Gmail and Facebook.

Too many of us live in a world where our use of the network is mediated by organizations that often do not have our best interests at heart. By building software that does not rely on a central service, we can regain control and privacy. By keeping our data in our homes, we gain useful legal protections over it. By giving back power to the users over their networks and machines, we are returning the Internet to its intended peer-to-peer architecture. In order to bring about the new network order, it is paramount that it is easy to convert to it. The hardware it runs on must be cheap. The software it runs on must be easy to install and administrate by anybody. It must be easy to transition from existing services. There are a number of projects working to realize a future of distributed services; FreedomBox aims to bring them all together in a convenient package available for everybody.

Despite the fact that one of the most efficient ways of encrypting communications is OTR with Jabber/XMPP, the clients that support these protocols are either flawed from a security point of view or excessively hard to use. This is the reason why CoyIM is being developed. Based on Adam Langley’s xmpp-client, and written in the Go language to avoid  many common types of vulnerabilities that come from using unsafe  languages, CoyIM is a standalone program that runs on Windows, Linux and OS X and only supports one chat protocol – Jabber/XMPP.

CoyIM tries to be safe and secure by default. The developers’ ambition is that it should be possible for even the most high-risk people on the planet to safely use CoyIM, without having to make any configuration changes. To achieve this, CoyIM has a built-in support for Tor, OTR and TLS. The Tor support allows users to become anonymous when chatting; OTR makes end-to-end encryption of communication possible; and TLS adds another layer of encryption to the communication with the chat servers. These features have been built to be core parts of the application – they are not plugins or extras as in some of the most popular Jabber/XMPP clients.

Started in October 2015, CoyIM is still a very young project. There have been no security audits of the code, and you should currently not use it for anything sensitive. Being at a very early stage of development, the tool still lacks many features that users could expect in a Jabber client. The developers are working eagerly to add the needed functionalities, but for the sake of security and efficiency some other features (like hyperlinks and emoticons) will never be there. With time, CoyIM has good chances of filling an important gap in the range of communication tools that can be used in high-risk contexts.

Until recently, if someone wanted to be sure that their communications could only be read by themselves and their addressees, they had to face the steep learning curve required by encryption tools like GPG or OTR. As efficient as they are in enabling an end-to-end encrypted communication, these tools are problematic for anyone who needs to communicate efficiently and securely in a high-risk or emergency setting where there is no time for learning how to use a complicated technology. To solve this problem, a range of new, more usable encryption tools has started to be developed. This is where Peerio enters the scene.

First launched in January 2014 and currently counting 17,000 users, Peerio is a tool to send encrypted messages and files, developed with the aim of making encrypted communications attractive and accessible to people of all skill sets and backgrounds. From its intuitive interface to its rapid search of messages and documents, up to its passphrase generator, Peerio puts a strong emphasis on usability in every possible detail, thus simplifying the workflow and mitigating the risks related to user error that are often connected to traditional end-to-end encryption tools.

The encryption of messages and files (which is client-side, so the server cannot decrypt anything) does not rely on a private key that could get lost, but on a mechanism based on the user’s passphrase. When you create a Peerio account, a long random passphrase is generated for you. This passphrase is made up of 5 words selected by the client’s passphrase generator from a dictionary of 12,000 commonly used words, which makes it easier to remember (but you can also generate a shorter password that will only work in the device where you’ve generated it and store the longer passphrase in a password manager). The 5-words passphrase and your user name are all you need to access your account wherever you are, from any computer.

Localized in 12 languages, and available for Mac, Windows and Linux, the client will be soon released for Android and iOS too. Peerio’s development is particularly oriented towards facilitating collaboration and group communication: already groups can share files in Peerio and easily search through them, and in the future Peerio’s team is planning to add new features such as shared folders and documents and collective notes. Peerio client’s code has been audited (PDF) and is available on Github.