Category: MeetUps and Presentations

DevConMru – Backup in the cloud for the Paranoid by cyberstorm.mu

At Cyberstorm Mauritius we work on several projects and code for fun. One of the interesting projects we have look at is an application called Tarsnap which is used to perform a secure backup on the cloud. At Cyberstorm Mauritius, myself (@TheTunnelix) and Codarren (@Devildron) recently send codes to Tarsnap and same were approved. That’s really cool when someone’s code is approved and used worldwide by thousands of companies. Today, I have the privilege to speak on Tarsnap at the DevConMru 2016 which was held at Voila hotel, Bagatelle. On reaching there, I was impressed by the number of people already waiting inside the conference room who were curious about Tarsnap. Some were entrepreneurs whilst others were students. I should say around 30 people attended the conference. Since it was a Sunday at 11:30 am, the team did not hesitate to bring some beer to the little crowd present there. I was busy setting up my laptop for the presentation.

As usual, I like to get the attention of my audience before the presentation. My first slide showed the logo of Tarsnap upside down.

Screenshot from 2016-05-22 19-05-41

Everyone was turning their head and making the effort to read the content. And here we go. I noticed that they are all ready and curious about it.

Check out the Slide here. Please wait some minutes. It’s loading…

The basics of Tarsnap were explained. Tarsnap take streams of archive data and splits then into variable-length blocks. Those blocks are compared and any duplicate blocks are removed. Data de-duplication happens before its uploaded to the Tarsnap server. Tarsnap does not create Temporary files but instead create a cache file on the client. The cache file is the files that are being back up to the Tarsnap server. After deduplication, the data is then compressed, encrypted, signed and send to the Tarsnap server. I also explained that the archived are saved on an Amazon S3 with EC2 server to handle it. Another interesting point raised was the concept of Tarsnap which uses smart Rsync-like block oriented snapshot operations that upload only data which is charged to minimize transmission costs. One does not need to trust any vendor cryptographic claims and you have full access to the source codes which uses open-source libraries and industry-vetted protocols such as RSA, AES, and SHA.

Getting on to the other part of Tarsnap and Bandwidth, an emphasis was made on Tarsnap which synchronized blocks of data using a very intelligent algorithm. Nowadays, there are companies that still use tapes for backups. Imagine having so many tapes and when restoration time has arrived, this would take tremendous time. Tarsnap compresses, encrypts and cryptographically signs every byte you send to it. No knowledge of cryptographic protocols is required. At this point, I asked a question about volunteers who are thinking to look at the Tarsnap code. There were three persons who raised their hands. The importance of the key file was raised up as some companies secure their private key in a safe. Tarsnap also supports the division of responsibilities where an explanation was laid out where a particular key can only be used to create an archive and not delete them.

An analogy between google drive compared to Tarsnap was given. Many already understood the importance of Tarsnap compared to Google Drive. The concept of deduplication was explained using examples. For the network enthusiasts, I laid emphasis on the port 9279 which should not be blocked on the firewall as Tarsnap runs on the following port number. Coming to confidentiality, the matter was made clear enough to the audience how much the data is secured. If it happens someone lost the key there is no way of getting back the data. 

Tarsnap is not an open source product. However, their client code is open to learn, break and study. I laid emphasis on the reusable open source components that come with Tarsnap, for example, the Script KDF (Key derivation function). KDF derives one or more secret keys from a secret value such as a master key, a password or passphrase or using a pseudo-random function. The Kivaloo data store was briefly explained. Its a collection of utilities which together form a data store associating keys up to 255 bytes with a value up to 255 bytes. Writes are accepted until data has been synced. If A completed before B, B will see the results of A. The SPIPED secure pipe daemon which is a utility for creating symmetrically encrypted and authenticated pipes between socket addresses so that one may connect to one address. 

I also explained to the audience the pricing mechanism which was perceived rather cheap for its security and data deduplication mechanisms. Tarsnap pricing works similarly as a prepaid utility-metered model. A deposit of $5 is needed. Many were amazed when I told them that the balance is a track to 18 decimal places. Prices are paid exactly what is consumed.

Other interesting features such as regular expression support and interesting kinds of stuff with the dry run features of Tarsnap was given. The concept of Tar command compared to Tarsnap was also explained. Commands, hints, and tricks explained.

At the end, i consider it really important to credit Colin, the author of Tarsnap and i have been strongly inspired by the work of Michael Lucas on Tarsnap. Indeed, another great achievement of Cyberstorm Mauritius at the DevConMru 2016.


Operation WTF Hackathon by cyberstorm.mu – Day 2

After having set up our network environment for the operation WTF, cyberstorm.mu team started working on several vulnerabilities around WordPress content management system. It started on Saturday the 14th of May where several proofs of concept (POC) were established. I was shocked to see how come it is easy to exploit a WordPress website. For security purpose, we have to blank parts of  URLs before posting on social networks. No wonder, Loganaden Velvindron of cyberstorm.mu did not hesitate to give his opinion on Medium.com“Many bloggers use it, because it is both easy to set up, and there is a rich ecosystem of WordPress plugins. WordPress has often been criticized due to its security record. What is more worrying is the varying quality of the WordPress plugins.” 

POC - Vulnerability found !
POC – Vulnerability found !

Operation WTF – WordPress Tiny flaws end up on Sunday the 15th of May 2016 after lines of codes were fixed up from many WordPress plugins. We can also notice how dangerous it is if a proper audit is not carried out on WordPress before putting a website to production. Here is another example where the /etc/passwd was retrieved by hackers Mauritius.

CiZlRQFXEAA7Qbq

Patches were also written to fix up bugs. However, it is to be noted that for security reasons patches are not disclosed for the time being as at cyberstorm.mu we follow ethical rules and the aim to stay within the grey line is of paramount importance. 


Operation WTF Hackathon by cyberstorm.mu – Day1

If you have been following the recent activities of cyberstorm.mu those days, you would surely notice a new hackathon organized by the same team – Operation WTF with the aim to hack around WordPress security vulnerabilities. The event happened at Pereybere.

Though we did not have any network connection, the guys started with the setting up of the network cables. We used the Emtel WIFI Plus. The team set up the Antenna on top of the building as we did have a DNS issue. We then used a router with OpenWRT to boost our connection and a WIFI extender to boost the signal.

Screenshot from 2016-04-22 21-30-38At the time I am writing this article, the hackathon is still going on. Keep in touch to follow our activities.


Hackathon in Mauritius – Operation SAD

We did it! The hackathon in Mauritius with title Operation SAD – Search and Destroy is a success. Who are the cyberstorm.mu winning team? Well, its a group of Linux developers residing in Mauritius who are happily improving the security of Linux An audit is first performed on the Linux platform and several security vulnerabilities are fixed. That is how the name “Search and Destroy” gets its name. It was proudly hosted by ISVTEC, a Linux firm operating in Mauritius.

Hackathon in Mauritius - Operation SAD 1

DAY 0 – A briefing was carried out. We started at around 09.30 hrs setting our laptops. I always feel the need for a second screen to save time. The briefing was carried quickly on a whiteboard. I am happy how all the necessary tools were provided at the ISVTEC conference room. More details on this link by LoganOperation SAD – DAY 0

DAY 1 – The hacking team were so fast. Everyone reached ISVTEC more early. It was so intense that I almost forgot lunchtime. All codes were submitted and some reviews were extremely fast. A whiteboard was of great help as soon as a project is completed we are moving to the other one. You can check out another article for Day 1 by Logan – Operation SAD – Day 1

A debrief session was carried out by Logan after the patches were submitted. I would sincerely thank Cyril and of course the staff of ISVTEC who has welcomed us since the very first day of the Hackathon. Indeed, an immense success from the winning team.

As announced some days back, cyberstorm Mauritius team will be at Flying DODO Bagatelle conference room as from 13:00 hrs to give a resume about the work done. We have the pleasure to hear from Avinash Meetoo, CEO of Knowledge7 for a superb speech.


Hackathon Mauritius 2016

Cyberstorm.mu, a rebranded name from another group due to trademark issue is the first Linux and Open source developers team in Mauritius. A hackathon with the theme – SAD “Search and Destroy” will be organized for 2 consecutive days. Members of Cyberstorm Mauritius will have to fix up the maximum possible bugs on several opensource software including OpenSUSE Linuxther linux distributions.

It takes place on Thurday 28th and Friday 29th of April 2016 hosted by ISVTEC at its own office.

Hackathon Mauritius 2016 2

Operation SAD
  • What is operation S.A.D?

Operation S.A.D nick named, search and destroy, is the first Linux hackathon we will be holding in Mauritius to massively fix some security issues in some Opensource software right now, we’ll be dealing with some crypto code which many enterprise, users and embedded appliances are relying upon daily.

  • What is a hackathon?

“In June of 1999, OpenBSD held the first hackathon. In the months leading up to this, either Theo or Niels Provos had coined this new word “hackathon”. “Here also we wish to adhere to that same idea of a hackathon.

  • Is everybody invited in a Hackathon?

Quoting from the ones who coined the word hackathon:“Hackathons attendees come by invitation only. Some new people in the community who show promise are sometimes invited to see if they have what it takes. However, hackathons are not developer training events.”

In 3 days we have to focus in fixing the maximum bugs that we can. Remember this is hopefully going to make some burst of patches from our small island, which is kinda cool 🙂

Next time somebody says that we didn’t invite the whole world to participate in the hackathon, you can reference to this. Ever wondered how many lines of code you can write if you need to focus on getting others up to speed? If you are a developer and reading this, you will know, this is not about your technical knowledge, but mostly about the entire procedures to get code from nothing up to production. There will be the time for the walk throughs also, but that will be for another project.

  • Why an event when no one is invited to participate?

Not at all, on the 30th of April, we shall have a presentation openned to the public, to talk a bit about what we did during the hackathon, how opensource software development contribution works in general AND forget not, the new changes that have been submitted upstream. We will bring this in a form that Mauritian tech people can understand it.

  • Prizes?

Yes, despite there are rumors by some people who do not quite understand how a hackathon works, we are actually offering some prizes to 3 people who can actually solve a set of challenge we are making. The top 3 highschool students who manages to do them based on our criteria set, will get a small walk-through with us first, and will get each a seat for the hackathon. We are targeting youngsters here, but the learning process, that skillset or instinct needed to make someone a hacker needs to be built with passion and the perfect age is when one is young enough.

  • Who is invited on the 30th?

Members of the IT community in Mauritius or elsewhere is invited to join in on Saturday the 30th of April. We shall update you with the correct information as we go along.

  • More information will be posted
  • Sponsors

All of our thanks goes to ISVTEC who is going to host our hackathon. We can truly recommend ISVTEC for all your managed services needs (please visit their website for details about the long list of services provided). Many thanks to silent sponsors of cyberstorm.mu also who wishes to remain silent