2018 IFF ‘Tools & Tech Showcase’ to feature user stories
The annual Internet Freedom Festival (IFF) in Valencia, Spain from 5-9 March 2018 will have hundreds of sessions and 1,700 participants from 130 countries. In addition, the 2018 IFF will feature its fourth edition of the Tools & Tech Showcase, organised by The Engine Room and eQualit.ie on the evening of Thursday, 8 March from 5:00 to 7:00pm.
The showcase will highlight nine tools from the IFF community. The theme for this year’s showcase is “User stories” because in addition to spotlighting tools that are new and exciting, it’s important to remember the value and impact of those that are tried and true as well.
In addition to short presentations by developers, users of the featured tools will tell their story of implementation or use of the tool. Tables for each tool will be set up along the terrace so that participants can strike up conversations with developers and users. We’ll all play Internet Freedom Tool Bingo. Don’t miss THE BINGO.
The Tool Showcase, started four years ago, makes visible the innovative and inclusive projects that protect freedom of expression and human rights online. To learn more, we have written about each of the tools:
Check
Check is a project of Meedan, an organisation that builds digital tools for global journalism and translation. Launched in 2011, the Check project “has worked to build online tools, support independent journalists, and develop media literacy training resources that aim to improve the investigative quality of citizen journalism and help limit the rapid spread of rumors and misinformation online.”
You can learn more about Check, Meedan and their other projects here:
Project website: https://meedan.com/en/check
Organisation website: https://meedan.com
Code repo: https://github.com/meedan/check
Twitter: https://twitter.com/check
Deflect
Deflect is a project of eQualitie, a software-for-good company based in Montreal that is dedicated to building tools that fight censorship for journalists and activists. Launched in 2011, Deflect is a cost-free service and free software, server-side application that keeps websites online in the event of a DDoS attack. Deflect Labs is an initiative to help “website operators, journalists and human rights advocates with real-time and historical analytic tools, as well as insight into DDoS attacks and botnets characteristics.”
You can learn more about Deflect, eQualitie and their other projects here:
Project website: https://deflect.ca
Organization website: https://equalit.ie
Code repo: https://github.com/equalitie/deflect
Twitter: @deflectca
Ooni
Ooni is a project of Tor, an organization dedicated to keeping users private, anonymous and free from online censorship. Since 2012, The Open Observatory of Network Interference (Ooni) has been monitoring global internet traffic to detect censorship, surveillance and traffic manipulation using a distributed network of tens of thousands of volunteers and researchers who run ‘ooniprobe’. Data collected from the newtork is published on an interactive web-based platform, Ooni Explorer.
You can learn more about Ooni, Tor and their other projects here:
Project website: https://ooni.torproject.org
Code repo: https://github.com/thetorproject/ooni-probe
Twitter: @openobservatory
Schleuder
Schleuder is a secure mailing list software that uses GPG to receive and send encrypted messages from and to list subscribers. In development for many years, Schleuder is now in v3 and actively developed by a group of volunteer contributors. Schleuder has a code of conduct for its community of contributors.
You can learn more about Schleuder here:
Project website: https://schleuder.nadir.org
Code repo: https://0xacab.org/schleuder
SecureDrop
SecureDrop is a project of Freedom of the Press Foundation, a non-profit in the US dedicated to free speech. Its development started in 2013 and it facilitates anonymous communication between whistleblowers and journalists, using the Tor network. SecureDrop’s approach to protecting anonymous sources “substantially limits the metadata trail that may exist from journalist-source communications.”
You can learn more about SecureDrop, including institutions that have their own installation, here:
Project website: https://securedrop.org
Organisation website: https://freedom.press
Code repo: https://github.com/freedomofpress/securedrop
Twitter: @securedrop
Tails
Tails is a live operating system that enables anonymity and can circumvent censorship. It’s a derivative of Debian, an operating system that uses GNU/Linux, and can be run on any computer hardware without installing itself or leaving data behind on the computer’s hard disks. The project’s Social Contract states, “”We believe that privacy, the free exchange of ideas, and equal access to information are essential to free and open societies. Through our community standards and the tools we create, we provide means that empower all people to protect and advance these ideals.”
You can learn more about Tails here:
Project website: https://tails.boum.org
Code repo: https://labs.riseup.net/code/projects/tails
Twitter: @tails_live
Tunnel Bear
Tunnel Bear is a company based in Toronto that provides a subscription VPN service. Since 2011 TunnelBear VPN allows users to choose to send and receive all of their traffic through a server in one of 20 countries. The security of their tool and service has been audited by a third party and the results of the audit are available on their website.
You can learn more about Tunnel Bear here:
Project website: https://tunnelbear.com
Twitter: @thetunnelbear
Ushahidi
This month, Ushahidi celebrates its 10th anniversary. “Testimony” in Swahili, Ushahidi created a crowdsourced map of reports during violent elections in Kenya. Today, they’re a globally distributed team who have incubated several projects beyond the original Ushahidi tool. On its third version, the free software can be installed on its own or groups can deploy it on Ushahidi servers.
You can learn more about Ushahidi, the tool and the team, and their other projects here
Project website: https://ushahidi.com.
Code repo: https://github.com/ushahidi/platform
Twitter: @ushahidi
Uwazi
Uwazi is a project of HURIDOCS, an organisation that uses smart information management to support the work of human rights defenders. Uwazi organises, collects and publishes documents in a way that makes transparent data useful and meaningful.
You can learn more about Uwazi and Huridocs here
Project website: https://www.uwazi.io.
Organization website: https://huridocs.org
Code repo: https://github.com/huridocs/uwazi
Twitter: @uwazidocs
Introducing (n+1)sec – a protocol for distributed multiparty chat encryption
- Confidentiality: the conversation is not readable to an outsider
- Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
- Deniable authentication: Nobody can prove your participation in a chat
- Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
- Room consistency: Group chat participants are confident that they are in the same room
- Transcript consistency: Group chat participants are confident that they are seeing the same sequence of messages
Deflect Stats July 2016
From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.
A notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.
Daily bandwidth usage on the Deflect network between May and July
Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.
In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany
Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States
Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th
Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!
From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.
July attacks on the Deflect network
Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.
Banning events during the month of July on the Deflect network
Banning events by host: this month 2 deflected websites were targeted in particular
Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA
As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.
A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.
Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA
Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs
Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted
The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.
What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA
Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device
np1sec challenge
The challenge involve partially implementing some of our XMPP test client event handlers for namely join, receive and send. The result will be a client that people can use to join and chat securely. Note that the purpose of the challenge is for the EQ team to get to know the candidates and be comfortable with their C++ competence before commencing our interview process. Please reach out if you get stuck somewhere – this is not considered against you.
Step 1: Get the code and get it compiled:
You need our fork of libgrypt for it:
https://github.com/equalitie/libgcrypt
Then you need to get the code
https://github.com/equalitie/np1sec
and follow the README. Finally test with the mock client:
./libnp1sec_test
If you link to original libgcrypt you’ll get some kind of grypt related
error.
Step 2: Run the xmpp test client. It is implemented in
https://github.com/equalitie/np1sec/blob/master/test/xmpp_test.cpp
Login to two different accounts. try
to chat, etc.
Step 3: Implement the join/send and receive handler
Look at the example at:
https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L54
and
https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L127
Notes that in case of mock client join and receive handler both are being handled by chat_mocker_np1sec_plugin_receive_handler but it happens in different function in case of libpurple.
Step 4: Implement the call backs:
You need to give some call backs to np1sec library. You can find the
association in case of chat mocker here:
https://github.com/equalitie/np1sec/blob/master/test/session_test.cc#L62
mockops->send_bare = send_bare;
mockops->join = new_session_announce;
mockops->leave = new_session_announce;
mockops->display_message = display_message;
mockops->set_timer = set_timer;
mockops->axe_timer = axe_timer;
They are implemented here:
https://github.com/equalitie/np1sec/blob/master/test/chat_mocker_np1sec_plugin.cc#L135
You only need to implement send_bare and send a do nothing functions for set_timer/axe_timer.
Step 5: Test your client:
Follow the lines in
https://github.com/equalitie/np1sec/blob/master/test/session_test.cc#L189
to initiate the np1sec UserState and see if you can join and talk to yourself.
Be the (Web) Master of your own (Secret) Domain
We are very pleased to announce that all websites signing up for DDoS protection with Deflect will now receive an authenticated password giving them easy access to their admin panel without having to reconfigure settings on their host server.
In the past, our practice has always been to set up a special secret login address which we would send to each site (known as a nocache address) and webmasters would then have to configure their servers to respond accordingly whenever they needed to access their admin page (as detailed in Step 5 of the Walkthrough on our wiki)
We did this to avoid any problems with the admin panel itself being cached. In such circumstances, any changes in content made to the website would be subject to the caching process rather than take effect immediately, thus affecting the user experience.
The problem has been solved by tweaking our detection software to distinguish between legitimate users and attackers – just as it does with traffic to the public website – by checking that the authenticated password and authenticated cookie match up whenever a request is made to log in. If everything does match up, the user gets access to the admin panel and any changes made take effect immediately rather than being affected by the caching procedure. Unauthenticated users will be blocked.
We are in the process of offering current Deflect users the opportunity to switch to the authenticated password system.
In the previous procedure, hiding the URL added an extra layer of security for the site since it made it much more difficult for hackers to guess the address (…/admin , /login etc) and brute force their way in using password-cracking software. Of course it is good practice to keep a secret URL address to increase security by one more layer, so we will always provide the option for new users to change their admin URL from the default address to a secret one.
Today’s announcement marks another stage in our goal to simplify every step of the Deflect signup procedure. Below is a preview of the new Dashboard, the first thing you will see after signing up and receiving your login details. Notice the magnificently reduced steps involved in becoming a full Deflectee.
Coming very soon!
(n+1)sec = privacy on the Net
In advance of this year’s Human Rights Day, eQualit.ie is proud to release the first public draft of a provably secure protocol for group messaging on the Internet.
The protocol provides for end-to-end security of synchronous communications between any number of people. It is efficient and builds on recent advancements in cryptographic research. Security properties of (n+1)sec include:
- Confidentiality: the conversation is not readable to an outsider
- Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
- Deniable authentication: Nobody can prove your participation in a chat
- Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
- Room consistency: Group chat participants are confident that they are in the same room
- Transcript consistency: Group chat participants are confident that they are seeing the same sequence of messages
The protocol is being implemented as a FLOSS libpurple plugin and will find its first home in crypto.cat. We anticipate wide adoption in other instant messaging platforms. Contact us, join the conversation or check out the code on Github.
Secure Hosting Guide available now
We are pleased to announce the launch of our Secure Hosting Guide, available now on learn.equalit.ie. The guide has been produced in collaboration with our friends at Huridocs and will be useful for anyone who wants to know the key factors involved when looking for a good hosting provider. It has been written for users of all technical abilities and budgetary constraints and is tailored specifically to focus on the issues that matter most to our partners: Concerns over data security, server reliability and technical support are priorities when you are running a website that attracts the attention of hackers, botnets, social engineers and the local surveillance services.
In addition to hosting, the document has sections on choosing a name registrar, dealing with threat mitigation and the considerations regarding legal and contractual issues. This is an evolving document in a fast-changing field, so we welcome feedback and contributions from users and other knowledgeable parties.
Finally, there is a set of reviews for the ISPs that eQualitie uses with Deflect. We invite you to add to this list of trustworthy (and not so trustworthy) hosting providers.
Feeling Insecure? Try some Digital Self-Help
We’re launching a free guide for teaching yourself Digital Security which can be accessed right here.
Over the last 8 years, eQualitie has been leading Digital Security trainings in dozens of countries for hundreds of activists and journalists, as well building two Digital Security schools and training many others to become trainers themselves. Every year we’ve seen the demand for trainings increase and while we are always interested in working with whomever requires our services, (please contact us if you’d like to talk about that), we understand that there are many more groups across the world we cannot easily get to for a variety of reasons, such as lack of funds, travel restrictions or scheduling conflicts. So we want to help anyone who would like to learn these skills and tools and has the motivation to teach themselves.
This is the latest in a series of guides we have made freely available, following on from the Digital Security Manual and Trainer’s Curricula. Next up, we’re putting together a guide on secure website hosting.