2018 IFF ‘Tools & Tech Showcase’ to feature user stories

Uwazi
The annual Internet Freedom Festival (IFF) in Valencia, Spain from 5-9 March 2018 will have hundreds of sessions and 1,700 participants from 130 countries. In addition, the 2018 IFF will feature its fourth edition of the Tools & Tech Showcase, organised by The Engine Room and eQualit.ie on the evening of Thursday, 8 March from 5:00 to 7:00pm.

The showcase will highlight nine tools from the IFF community. The theme for this year’s showcase is “User stories” because in addition to spotlighting tools that are new and exciting, it’s important to remember the value and impact of those that are tried and true as well.

In addition to short presentations by developers, users of the featured tools will tell their story of implementation or use of the tool. Tables for each tool will be set up along the terrace so that participants can strike up conversations with developers and users. We’ll all play Internet Freedom Tool Bingo. Don’t miss THE BINGO.

The Tool Showcase, started four years ago, makes visible the innovative and inclusive projects that protect freedom of expression and human rights online. To learn more, we have written about each of the tools:

Check

check logoCheck is a project of Meedan, an organisation that builds digital tools for global journalism and translation. Launched in 2011, the Check project “has worked to build online tools, support independent journalists, and develop media literacy training resources that aim to improve the investigative quality of citizen journalism and help limit the rapid spread of rumors and misinformation online.”

You can learn more about Check, Meedan and their other projects here:

Project website: https://meedan.com/en/check
Organisation website: https://meedan.com
Code repo: https://github.com/meedan/check
Twitter: https://twitter.com/check

Deflect

deflect logoDeflect is a project of eQualitie, a software-for-good company based in Montreal that is dedicated to building tools that fight censorship for journalists and activists. Launched in 2011, Deflect is a cost-free service and free software, server-side application that keeps websites online in the event of a DDoS attack. Deflect Labs is an initiative to help “website operators, journalists and human rights advocates with real-time and historical analytic tools, as well as insight into DDoS attacks and botnets characteristics.”

You can learn more about Deflect, eQualitie and their other projects here:

Project website: https://deflect.ca
Organization website: https://equalit.ie
Code repo: https://github.com/equalitie/deflect
Twitter: @deflectca

Ooni

ooni logoOoni is a project of Tor, an organization dedicated to keeping users private, anonymous and free from online censorship. Since 2012, The Open Observatory of Network Interference (Ooni) has been monitoring global internet traffic to detect censorship, surveillance and traffic manipulation using a distributed network of tens of thousands of volunteers and researchers who run ‘ooniprobe’. Data collected from the newtork is published on an interactive web-based platform, Ooni Explorer.

You can learn more about Ooni, Tor and their other projects here:

Project website: https://ooni.torproject.org
Code repo: https://github.com/thetorproject/ooni-probe
Twitter: @openobservatory

Schleuder

schleuder logoSchleuder is a secure mailing list software that uses GPG to receive and send encrypted messages from and to list subscribers. In development for many years, Schleuder is now in v3 and actively developed by a group of volunteer contributors. Schleuder has a code of conduct for its community of contributors.

You can learn more about Schleuder here:

Project website: https://schleuder.nadir.org
Code repo: https://0xacab.org/schleuder

SecureDrop

securedrop logoSecureDrop is a project of Freedom of the Press Foundation, a non-profit in the US dedicated to free speech. Its development started in 2013 and it facilitates anonymous communication between whistleblowers and journalists, using the Tor network. SecureDrop’s approach to protecting anonymous sources “substantially limits the metadata trail that may exist from journalist-source communications.”

You can learn more about SecureDrop, including institutions that have their own installation, here:

Project website: https://securedrop.org
Organisation website: https://freedom.press
Code repo: https://github.com/freedomofpress/securedrop
Twitter: @securedrop

Tails

tails logoTails is a live operating system that enables anonymity and can circumvent censorship. It’s a derivative of Debian, an operating system that uses GNU/Linux, and can be run on any computer hardware without installing itself or leaving data behind on the computer’s hard disks. The project’s Social Contract states, “”We believe that privacy, the free exchange of ideas, and equal access to information are essential to free and open societies. Through our community standards and the tools we create, we provide means that empower all people to protect and advance these ideals.”

You can learn more about Tails here:

Project website: https://tails.boum.org
Code repo: https://labs.riseup.net/code/projects/tails
Twitter: @tails_live

Tunnel Bear

tunnelbear logoTunnel Bear is a company based in Toronto that provides a subscription VPN service. Since 2011 TunnelBear VPN allows users to choose to send and receive all of their traffic through a server in one of 20 countries. The security of their tool and service has been audited by a third party and the results of the audit are available on their website.

You can learn more about Tunnel Bear here:

Project website: https://tunnelbear.com
Twitter: @thetunnelbear

Ushahidi

ushahidi logoThis month, Ushahidi celebrates its 10th anniversary. “Testimony” in Swahili, Ushahidi created a crowdsourced map of reports during violent elections in Kenya. Today, they’re a globally distributed team who have incubated several projects beyond the original Ushahidi tool. On its third version, the free software can be installed on its own or groups can deploy it on Ushahidi servers.

You can learn more about Ushahidi, the tool and the team, and their other projects here

Project website: https://ushahidi.com.
Code repo: https://github.com/ushahidi/platform
Twitter: @ushahidi

Uwazi

uwazi logoUwazi is a project of HURIDOCS, an organisation that uses smart information management to support the work of human rights defenders. Uwazi organises, collects and publishes documents in a way that makes transparent data useful and meaningful.

You can learn more about Uwazi and Huridocs here

Project website: https://www.uwazi.io.
Organization website: https://huridocs.org
Code repo: https://github.com/huridocs/uwazi
Twitter: @uwazidocs

Read More

Introducing (n+1)sec – a protocol for distributed multiparty chat encryption

Today we present (n+1)sec, a free (libre), end-to-end secure, synchronous protocol for group chat developed by eQualit.ie with support from the Open Technology Fund. After 2 years of design, development and testing, we are releasing the (n+1)sec protocol and library for securing group conversations on various messaging systems, like Jabber/XMPP or IRC. Following a  protocol and cryptographic review by the NCC Group, we are looking forward to its implementation in as many chat clients as possible.

 

 

Distributed encryption for federated group chat

Considering the times we live in, people tend to rely more and more on encrypted chat for communicating securely with their friends and colleagues. Some of the most secure communication tools have been conceived for this kind of interaction online, including the widespread OTR (off-the-record) and Signal protocols. Our aim was to complement and build on these technologies, offering communication and privacy properties to which these protocols currently did not cater. For example, OTR has been around for over a decade and is built into many desktop and mobile messaging platforms. Its encryption capabilities however are limited to conversations between two people, and cannot be used for a group of three or more. The Signal protocol has been implemented in Signal, WhatsApp, Facebook messenger and many other tools, reaching over a billion users. It is an incredibly powerful solution but it is reliant on asynchronous communication and is therefore also dependent on the messaging platform — a central server that can become a single point of failure (or metadata collection).
These were the starting points for eQualit.ie when considering the (n+1)sec design – we wanted a tool as flexible as OTR that could offer groups and organizations a secure way of communicating and coordinating, respecting federation for messaging protocols and adhering to end-to-end encryption properties for privacy. Our final protocol has the following security properties for group messaging:
  • Confidentiality: the conversation is not readable to an outsider
  • Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
  • Deniable authentication: Nobody can prove your participation in a chat
  • Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
  • Room consistency: Group chat participants are confident that they are in the same room
  • Transcript consistency:  Group chat participants are confident that they are seeing the same sequence of messages

Can i test it?

To be sure that (n+1)sec did what we wanted it to do, we have developed an internal dogfooding client in the form of a Pidgin plugin. It is experimental and you shouldn’t rely on it for security – or even stable communications – but it is a good demonstration of how (n+1)sec works. There is a public server set-up for testing it with your friends and colleagues. You can also run the software with any Jabber/XMPP server you already have.
We also wrote a command line client, called Jabberite. It’s in the main (n+1)sec repository and can be used, for instance, with EchoChamber, a testing platform for the (n+1)sec protocol that simulates network conditions and peer behaviour to produce programmer-friendly benchmark data.

How can I help?

Now that a first protocol for secure distributed multiparty chat exists, we would love to see it implemented and used! If you are interested in making this happen, you can give us a precious hand: testing, bugtracking, and of course further development are welcome. The code is out there — just check it out! And of course if you have any feedback you don’t think fits in a public Github repository, you can always write to us through our contact form https://equalit.ie/#contact.
Read More

Deflect Stats July 2016

From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.

metrics_julyA notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.

bandwidth_usage_july

bandwidth_may-jul

Daily bandwidth usage on the Deflect network between May and July

Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.

uniqueIPs_by_country

In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany

hits_by_country

Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States

bandwidth_by_country1

Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th

Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!

UAOS_pie_chart

From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.

content_pie_chart

July attacks on the Deflect network

Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.

bans__jul

Banning events during the month of July on the Deflect network

bans_by_host_jul

Banning events by host: this month 2 deflected websites were targeted in particular

bans_by_country

Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA

As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.

A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.

bans_UAname

Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA

UA_name

Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs

UA_name_WP

Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted

The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.

BLM_july_trigger

What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA

BLM_july_UAdevice

Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device

Read More

np1sec challenge

The challenge involve partially implementing some of our XMPP test client event handlers for namely join, receive and send. The result will be a client that people can use to join and chat securely. Note that the purpose of the challenge is for the EQ team to get to know the candidates and be comfortable with their C++ competence before commencing our interview process. Please reach out if you get stuck somewhere – this is not considered against you.

Step 1: Get the code and get it compiled:

You need our fork of libgrypt for it:

https://github.com/equalitie/libgcrypt

Then you need to get the code

https://github.com/equalitie/np1sec

and follow the README. Finally test with the mock client:

./libnp1sec_test

If you link to original libgcrypt you’ll get some kind of grypt related
error.

Step 2: Run the xmpp test client. It is implemented in

https://github.com/equalitie/np1sec/blob/master/test/xmpp_test.cpp

Login to two different accounts. try
to chat, etc.
Step 3: Implement the join/send and receive handler

Look at the example at:
https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L54

and

https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L127

Notes that in case of mock client join and receive handler both are being handled by chat_mocker_np1sec_plugin_receive_handler but it happens in different function in case of libpurple.

Step 4: Implement the call backs:

You need to give some call backs to np1sec library. You can find the
association in case of chat mocker here:

https://github.com/equalitie/np1sec/blob/master/test/session_test.cc#L62

mockops->send_bare = send_bare;
mockops->join = new_session_announce;
mockops->leave = new_session_announce;
mockops->display_message = display_message;
mockops->set_timer = set_timer;
mockops->axe_timer = axe_timer;
They are implemented here:

https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L135

You only need to implement send_bare and send a do nothing functions for set_timer/axe_timer.

Step 5: Test your client:

Follow the lines in

https://github.com/equalitie/np1sec/blob/master/test/session_test.cc#L189

to initiate the np1sec UserState and see if you can join and talk to yourself.

Read More

Be the (Web) Master of your own (Secret) Domain

We are very pleased to announce that all websites signing up for DDoS protection with Deflect will now receive an authenticated password giving them easy access to their admin panel without having to reconfigure settings on their host server.

In the past, our practice has always been to set up a special secret login address which we would send to each site (known as a nocache address) and webmasters would then have to configure their servers to respond accordingly whenever they needed to access their admin page (as detailed in Step 5 of the Walkthrough on our wiki)

We did this to avoid any problems with the admin panel itself being cached. In such circumstances, any changes in content made to the website would be subject to the caching process rather than take effect immediately, thus affecting the user experience.

The problem has been solved by tweaking our detection software to distinguish between legitimate users and attackers – just as it does with traffic to the public website – by checking that the authenticated password and authenticated cookie match up whenever a request is made to log in. If everything does match up, the user gets access to the admin panel and any changes made take effect immediately rather than being affected by the caching procedure. Unauthenticated users will be blocked.

We are in the process of offering current Deflect users the opportunity to switch to the authenticated password system.

In the previous procedure, hiding the URL added an extra layer of security for the site since it made it much more difficult for hackers to guess the address (…/admin , /login etc) and brute force their way in using password-cracking software. Of course it is good practice to keep a secret URL address to increase security by one more layer, so we will always provide the option for new users to change their admin URL from the default address to a secret one.

Today’s announcement marks another stage in our goal to simplify every step of the Deflect signup procedure. Below is a preview of the new Dashboard, the first thing you will see after signing up and receiving your login details. Notice the magnificently reduced steps involved in becoming a full Deflectee.

new_setup_screen_1

Coming very soon!

Read More

(n+1)sec = privacy on the Net

In advance of this year’s Human Rights Day, eQualit.ie is proud to release the first public draft of a provably secure protocol for group messaging on the Internet.

np1sec-web

The protocol provides for end­-to­-end security of synchronous communications between any number of people. It is efficient and builds on recent advancements in cryptographic research. Security properties of (n+1)sec include:

  • Confidentiality: the conversation is not readable to an outsider
  • Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
  • Deniable authentication: Nobody can prove your participation in a chat
  • Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
  • Room consistency: Group chat participants are confident that they are in the same room
  • Transcript consistency:  Group chat participants are confident that they are seeing the same sequence of messages

The protocol is being implemented as a FLOSS libpurple plugin and will find its first home in crypto.cat. We anticipate wide adoption in other instant messaging platforms. Contact us, join the conversation or check out the code on Github.

Read More

Secure Hosting Guide available now

We are pleased to announce the launch of our Secure Hosting Guide, available now on learn.equalit.ie. The guide has been produced in collaboration with our friends at Huridocs and will be useful for anyone who wants to know the key factors involved when looking for a good hosting provider. It has been written for users of all technical abilities and budgetary constraints and is tailored specifically to focus on the issues that matter most to our partners: Concerns over data security, server reliability and technical support are priorities when you are running a website that attracts the attention of hackers, botnets, social engineers and the local surveillance services.

In addition to hosting, the document has sections on choosing a name registrar, dealing with threat mitigation and the considerations regarding legal and contractual issues. This is an evolving document in a fast-changing field, so we welcome feedback and contributions from users and other knowledgeable parties.

Finally, there is a set of reviews for the ISPs that eQualitie uses with Deflect. We invite you to add to this list of trustworthy (and not so trustworthy) hosting providers.

Read More

Feeling Insecure? Try some Digital Self-Help

We’re launching a free guide for teaching yourself Digital Security which can be accessed right here.

Over the last 8 years, eQualitie has been leading Digital Security trainings in dozens of countries for hundreds of activists and journalists, as well building two Digital Security schools and training many others to become trainers themselves. Every year we’ve seen the demand for trainings increase and while we are always interested in working with whomever requires our services, (please contact us if you’d like to talk about that), we understand that there are many more groups across the world we cannot easily get to for a variety of reasons, such as lack of funds, travel restrictions or scheduling conflicts. So we want to help anyone who would like to learn these skills and tools and has the motivation to teach themselves.

This is the latest in a series of guides we have made freely available, following on from the Digital Security Manual and Trainer’s Curricula. Next up, we’re putting together a guide on secure website hosting.

Read More