Author Archives: logan

security experts in Mauritius

Cybersecurity in the cyberisland

In Mauritius, We have 7000 people who work in the IT sector. There are many web developers, Enterprise software engineers, and Infrastructure engineers (sysadmin/netadmin). However, there are very few security engineers.

Most companies in Mauritius tend not to think about security of their infrastructure. Paradoxically, most are increasingly relying on their IT infrastructure to store/retrieve/manipulate their data, which is often sensitive. This has led to very few job openings for security experts. Many still think that security is an "add-on" that they buy. Few realise that security is woven into the development process of the software they are developing for their clients, until the client loses faith due to a security flaw.

Recently, 2 LUGM members and myself decided to organize a Security Contest. The goal was to defend and attack a server via the Heartbleed vulnerability to steal sensitive information, such as private keys.After doing a short presentation, on Heartbleed, we gave ample time to participants to come up with a working code, and a reasonable explanation. Heartbleed is fairly old: it happened in 2014.

2 months later, and we still didn't receive a single submission. I grew very worried of the current situation in Mauritius. The implications are far reaching: Most IT workers have little understanding of how vulnerabilities work. There are many self-proclaimed "Hackers" and "Security experts" in Mauritius. However, none of them are able to understand Heartbleed in a detailed manner. Most IT professionals are unable to distinguish between a security expert and someone who is not. In case of a cyberwar, Mauritius would be at an immediate disadvantage.

Developing local security expert talent pool is one of the key pillars of a "Cyberisland". The rise of the Internet of things, where almost everything can be hooked to the internet, has many implications in terms of security. A "smart" car can be hijacked, and people killed. We need security experts who can understand the small details of security flaws and come up with reasonable counter-measures to protect our CyberInfrastructure. This requires a LOT of mental effort & time investment. However, I get the impression that most students are more interested in Computer Security as a fashion trend . Few want to do the hard mental work.

Sadly, I noticed the same attitude with professionals working in the IT sector. Many prefer to copy, without any thought as to what is really happening underneath. They rely on work done by others, instead of making the mental effort needed. A good way to test a security expert is to show him a piece of vulnerable code, and ask him to write an exploit for it. The Contest that we designed followed this principle. It encouraged participants to think about the code that they are copying from the Internet.

The net result is that this has negatively impacted the image of Security Experts from Mauritius. I spoke with a friend who resides in Switzerland, and he told me that he read about the security experts from Mauritius. Upon taking a close examination, he wasn't impressed at all. The lack of skills is obvious, according to him. To be fair, I pointed out that at least 2 Mauritians did understand security to a very good level. On a global picture, we still got a long way to go to secure & protect our Cyberisland.

Insecure Internet in Africa & Mauritius

2 years ago

In 2013, like many Internet Users I was deeply shocked when I learned about the extent of Pervasive Internet surveillance. Countries were monitoring your actions on the Internet, and they were secretly collecting your data. Many Internet institutions took a public stand: https://www.icann.org/news/announcement-2013-10-07-en

Now in 2015

2 years later, despite montevideo statement, Pervasive surveillance is still present. There is little indication that those countries are going to stop. Projects like DNSSEC & PKI(s) to improve the security of the internet are here. However, DNSSEC & PKI solve 2 specific problems. DNSSEC provides an authentication mechanism for DNS. You can have some level of confidence that www.ebay.com is secure when you connect to it via DNSSEC. One of the major limitations of DNSSEC is that the question/response is not encrypted. A 3rd party can monitor my DNSSEC messages, and build a profile about my surfing habits, such as the time I usually check my Bank account.

PKI

PKI can be leveraged by ISPs to prevent accidental or intentional prefixes from being hijacked. The most known incident is when Pakistan Telecom broke Youtube on the whole Internet. However, when we look at the Internet, there are more avenues to make the Internet more secure such as protecting against address spoofing, which is causing routine DDOS attacks to occur against such websites as github. The next question is who is taking care of securing the other bits of the Internet in our region ? How much is Africa investing into not only improving Internet connectivity, but also securing our Internet ? (BCP-38 anyone ?)

Banks in Africa

The local banks are discouraging me from getting my statements via mail. They send it to me by email. However, that email is not encrypted/ digitally signed. My bank is also discouraging me from doing transactions by writing on a paper in one of their offices. They want me to use their mobile application which goes through some secure encryption scheme through a hostile Internet. I poked around, and realised that there are some issues with their security scheme. Can we trust NIST recommendations for cryptography when NIST vetted specifications that contained backdoors ? (URL of a discussion: http://lists.elandnews.com/archive/mauritius/internet-users/2015/06/2128.html)

Everyday habits

A few days ago, Another set of document revealed that the NSA is breaking VPN, SSH and HTTPS on a massive scale (geeky details here: http://thehackernews.com/2015/10/nsa-crack-encryption.html) . Those technologies are those that I use for my banking transactions, and also accessing the office remotely when I need to work. They are also used when I read my mail whether corporate or personal. What's worse is that it's becoming frighteningly cheaper for a small organization to do that thanks to the dropping price of computing power.

What are our organizations doing ?

Isn't it time for our public and private sectors to seriously look into improving the security of our internet that we rely upon daily for doing important things ? What about the Cyber/Internet Institutions that have a mandate and a budget in Africa & Mauritius ?

Emtel <-> Orange peering problem

Peering problem again

It looks like peering problem between Emtel & Orange are more frequent than I thought ! With an average of 662ms , this is definitely BAD . A few days ago, I was getting 70ms as average.


ping 41.136.243.249
PING 41.136.243.249 (41.136.243.249): 56 data bytes
64 bytes from 41.136.243.249: icmp_seq=0 ttl=51 time=584.352 ms
64 bytes from 41.136.243.249: icmp_seq=1 ttl=51 time=607.247 ms
64 bytes from 41.136.243.249: icmp_seq=2 ttl=51 time=627.821 ms
64 bytes from 41.136.243.249: icmp_seq=3 ttl=51 time=667.448 ms
64 bytes from 41.136.243.249: icmp_seq=4 ttl=51 time=824.904 ms
^C
--- 41.136.243.249 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 584.352/662.354/824.904/85.746 ms

Emtel AirBox & Orange latency test



Emtel Airbox

When Emtel announced their Airbox, I was initially thrilled, like many other Internet Users. A number of people who were very annoyed with Orange, decided to switch, causing Emtel to struggle to cope with the demand.

Orange to Emtel latency test

I asked a friend to give me his Emtel AirBox IP address to test the latency from my ISP to him, and also the other way round.

PING 154.71.9.70 (154.71.9.70) 56(84) bytes of data. 64 bytes from 154.71.9.70: icmp_seq=7 ttl=54 time=31.8 ms 64 bytes from 154.71.9.70: icmp_seq=8 ttl=54 time=12.0 ms 64 bytes from 154.71.9.70: icmp_seq=13 ttl=54 time=18.5 ms 64 bytes from 154.71.9.70: icmp_seq=16 ttl=54 time=10.6 ms 64 bytes from 154.71.9.70: icmp_seq=17 ttl=54 time=16.5 ms 64 bytes from 154.71.9.70: icmp_seq=19 ttl=54 time=13.5 ms ^C --- 154.71.9.70 ping statistics --- 19 packets transmitted, 6 received, 68% packet loss, time 18037ms
Wohoo ! It looks like Emtel and Orange are finally moving to correct the peering issues that I identified earlier. We now moved from 78ms to an average of 13ms from Orange to Emtel Airbox.

From Emtel to Orange

Nishal advised to also test the other way: from Emtel to Orange. I asked my friend to ping my Myt30MB/s IP address. The results are:
ping 41.136.241.246 ping 41.136.241.246 with 32 bytes of data: ly from 41.136.241.246: bytes=32 time=17ms TTL=54 ly from 41.136.241.246: bytes=32 time=12ms TTL=54 ly from 41.136.241.246: bytes=32 time=12ms TTL=54 statistics for 41.136.241.246: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), roximate round trip times in milli-seconds: Minimum = 12ms, Maximum = 17ms, Average = 13ms
Awesome ! We are also getting an average of 13ms from Emtel Airbox to Orange.

Wait a second !

How come we are observing 68% packet loss from Orange to Emtel ? That means that on average, more than 3/5 of the traffic is lost, and eventually re-transmitted. That's bad ! It's killing performance for my friend's Internet Connection. In other words: high loss together can slow down TCP to a crawl.

High latency, and Packet loss is one of the major problems of Internet Users in Mauritius. Emtel should look into improving its wireless coverage to reduce packet loss to at most one tenth for the Emtel Airbox customers to enjoy a decent Internet Connection. I'm also happy to see some action from Emtel and Orange to fix the peering. However, there's still a lot of work ahead of us.

Emtel AirBox & Orange latency test



Emtel Airbox

When Emtel announced their Airbox, I was initially thrilled, like many other Internet Users. A number of people who were very annoyed with Orange, decided to switch, causing Emtel to struggle to cope with the demand.

Orange to Emtel latency test

I asked a friend to give me his Emtel AirBox IP address to test the latency from my ISP to him, and also the other way round.

PING 154.71.9.70 (154.71.9.70) 56(84) bytes of data. 64 bytes from 154.71.9.70: icmp_seq=7 ttl=54 time=31.8 ms 64 bytes from 154.71.9.70: icmp_seq=8 ttl=54 time=12.0 ms 64 bytes from 154.71.9.70: icmp_seq=13 ttl=54 time=18.5 ms 64 bytes from 154.71.9.70: icmp_seq=16 ttl=54 time=10.6 ms 64 bytes from 154.71.9.70: icmp_seq=17 ttl=54 time=16.5 ms 64 bytes from 154.71.9.70: icmp_seq=19 ttl=54 time=13.5 ms ^C --- 154.71.9.70 ping statistics --- 19 packets transmitted, 6 received, 68% packet loss, time 18037ms
Wohoo ! It looks like Emtel and Orange are finally moving to correct the peering issues that I identified earlier. We now moved from 78ms to an average of 13ms from Orange to Emtel Airbox.

From Emtel to Orange

Nishal advised to also test the other way: from Emtel to Orange. I asked my friend to ping my Myt30MB/s IP address. The results are:
ping 41.136.241.246 ping 41.136.241.246 with 32 bytes of data: ly from 41.136.241.246: bytes=32 time=17ms TTL=54 ly from 41.136.241.246: bytes=32 time=12ms TTL=54 ly from 41.136.241.246: bytes=32 time=12ms TTL=54 statistics for 41.136.241.246: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), roximate round trip times in milli-seconds: Minimum = 12ms, Maximum = 17ms, Average = 13ms
Awesome ! We are also getting an average of 13ms from Emtel Airbox to Orange.

Wait a second !

How come we are observing 68% packet loss from Orange to Emtel ? That means that on average, more than 3/5 of the traffic is lost, and eventually re-transmitted. That's bad ! It's killing performance for my friend's Internet Connection. In other words: high loss together can slow down TCP to a crawl.

High latency, and Packet loss is one of the major problems of Internet Users in Mauritius. Emtel should look into improving its wireless coverage to reduce packet loss to at most one tenth for the Emtel Airbox customers to enjoy a decent Internet Connection. I'm also happy to see some action from Emtel and Orange to fix the peering. However, there's still a lot of work ahead of us.

Mauritius Internet Exchange Point and Our Latency




What is an Internet exchange point ?


An Internet Exchange Point is basically a busy bus station where all of the island internet traffic meets. I have a friend who lives in Mont Roches, and he lives very close by. We often play Counter Strike or other games. He could be an Emtel customer, whereas I am an Orange customer. It makes no sense for his gaming session to go through Europe or the US, when he is playing against myself. The same goes for me. The Mauritius Internet Exchange Point is where my traffic and his internet traffic can meet other. Instead of going through Europe, his ISP can talk to my ISP through the Internet Exchange Point. The advantage of doing that for Internet Users is that the latency is reduced. The time it takes for his internet traffic to reach my computer is reduced. At least that's how it's supposed to be.


A few weeks ago ...

While doing a latency test from Emtel to Orange, I realised that the latency was almost 350 ms . That's huge for traffic which is supposed to be managed by the Mauritius Internet Exchange Point. In countries like Kenya, The Kenyan Internet Exchange Point can reduce latencies among local ISP to 2-10 ms . 350ms is the latency I usually get from gaming servers in Europe.

I send a mail

Being curious, I write a mail, and I get a reply from one of the members of the Mauritius Internet Exchange Point Association, asking for more technical details.

A few days later ...

I do the same test from Emtel to Orange, and I get 78ms as latency ! That's cut almost to one third. That's reasonable, but in my humble opinion, if Kenyan Internet Exchange Point can get 2-10ms, why can't we get that ? What is the advantage of a very low latency in Mauritius ? Well, we can get fluid experience for gamers hosting Local matches. We can get our viber/whatsapp for people who do voice calls. Below 50ms, Interesting mobile applications for the Mauritian market can hatch. Right now, the voice quality of viber calls is horrible in Mauritius. If we had a local viber node, and latency of around 20ms, we would get great experience talking to another Mauritian on the island.

The future

I sincerely hope that the Mauritius Internet Exchange Point fixes the latency issue. 78 ms is still quite high for Local Internet Traffic between ISPs , where other countries are reaching 2-10ms between ISPs. I'm positive that my dream of improving the Internet in Mauritius is slowly coming reality as many gamers are currently getting better latencies from Emtel Airtel to Orange FTTH, and vice-versa. We can still do better !

Linux meetup : An introduction to Flask by Avinash Meetoo

Flask is a web microframework which was created by Armin Ronacher of Pocoo and it is written in python. The “micro” in microframework means Flask aims to keep the core simple but extensible.

Flask is based on MVC Web Architecture which allows you to have models, views and controllers and plugins can be added to make it more powerful. LinkedIn and Pinterest both make use of Flask.
Flask is considered more Pythonic than Django because Flask web application code is in most cases more explicit.

The following code below shows a simple web application which was explained by Avinash Meetoo during the Linux meetup.


from flask import Flask
// First we import the Flask class.
From flask import render_template
// render_template is a function being imported from module flask.
app = Flask(__name__)
// Next we create an instance of this class called app which is basically a controller.
// (__name__)is needed so that Flask knows where to look for the assets like css, js and templates.
@app.route('/')
//Next, we define route for the home of the web application, which is accessed through the url – localhost:5000/
def home():
return render_template(‘home.html’)

// home() is the function that is executed each time a request come to this route (‘/’). In this function, it is going to render a template which is ‘home.html’.
if __name__ == '__main__':
// makes sure the server only runs if the script is executed directly from the Python interpreter and not used as an imported module.
app.run(debug = True)
// Finally we use the run () function to run the local server with our application.

 

“demo.py” was used as the controller to render the template ‘home.html’ .

During this presentation, Avinash Meetoo explained the codes and functionalities that he used when he created a web application for the general elections in 2014. “electionsmauritius.py” was used as the controller to run the application.
Flask is easy to get started with as a beginner because there is little boilerplate code for getting a simple app up and running.
The presentation can be found on the YouTube link below:

 

Summary done by Neha Gunnoo.

 

Opensource Web application in Collaboration with Government Agency

The Data Protection Office has a self-assessment questionnaire ( http://dataprotection.govmu.org/English//DOCUMENTS/SELF%20ASSESSMENT%20PDF.PDF ) for compliance with Data Protection obligations. Doing such an assessment on paper and evaluating the results can be a cumbersome process.

Subramanian Moonesamy, Ishwon K. Sookun, Bundhoo Mohammad Nadim, Tejas Pagooah and Ajay Ramjatan volunteered five months of time and effort to develop a Privacy Compliance Assessment Webapp in collaboration with the Data Protection Office to make the process as user-friendly as possible. The Web app can be accessed at http://www.elandsys.com/~sm/privacy-mu/

DPO-webapp

 

It is the first time a group of volunteers in Mauritius develop an Open Source Software project in collaboration with a government agency. It was also to showcase responsive web design, i.e. the Webapp looks good on a desktop, tablet or a mobile.

The webapp does not store cookies, nor uses any other web tracking mechanism. Hence anyone who conducts an assessment using this webapp can do it anonymously, without any fear of being tracked.

The webapp is free software and can be freely distributed or modified under GNU General Public License.

Quick fix for fast forward youtube



Symptom

Youtube loads but there is no sound, and youtube seems to be playing in fast forward mode.

After digging around, I realised that the sound sub-system of Linux needs to be badly fixed. It tries to play through the audio HDMI port first. Youtube should also fix their sound output code on Linux. The trick is to disable the HDMI codec driver for the sound.

Add this line in modprobe.conf: blacklist snd_hda_codec_hdmi

I've seen huge threads about this problem on various forums. Maybe this will help a few people.

Linux Meetup (29/08/2015)




A Linux Meetup after a long time !

We held our first meetup after a very very long time :) I wasn't expecting 71 people, but we got around 13 people who showed up. Quite a few couldn't make it at the last minute. The usual suspects showed up with the addition of Ashvin, who made it this time :) 2 employees of Mauritius Telecom were also present.

group

Bufferbloat explained

I demo'ed and explained the bad latency that Internet Users experienced on the DSLresport website. I explained how, once you cross 5MB/s, your bandwidth isn't that important anymore. Now, we need to talk about latency . When, I showed how by implementing CoDEL we could solve the latency problem, the 2 employees of Mauritius Telecom understood the issue at hand. Unfortunately, none of Emtel, Canal+ or Bharat Telecom engineers were around, sadly.

I hope that ISP guys get the message concerning the need for low latency in Mauritius for us to be able to benefit from a good service for services like VOIP, gaming, teleconference, and IMs.

With Open Source software and Linux, we were able to show how we can still achieve low latency while saturating both our uplink and downlink on a Mauritius Telecom MyT/30 Mbit/s connection. Quite a few people, in particular, Ajay Ramjatan & Shaan Nobee asked a lot of questions regarding fq_coDEL and the theory behind AQM.

I sincerely hope to see University Students pick up on research related to bufferbloat and how to fix it. I hope that Wifi will be fixed, as well as possibly adjusting coDEL for Mauritius.

There were a few questions regarding the IETF, and the applicability of standards. I explained how participation in standards is crucial for emerging countries like ours. In particular, I emphasize on the importance of sending Networking and Systems Engineers to conferences like the IETF, through the budget for training, rather than sending marketting guys, who would never be able to sell anything to a knowledgeable engineer. Too many IT companies think that investing in training is too expensive, and do not realise how they can grow their portolio of services for their customers.

Overall, It was a fun meetup. I hope that we, Linux users, can work together with ISPs to fix the latency issues that 99% of customers are currently experiencing right now.

URL for my presentation: my presentation
Dave Taht's talk on Bufferbloat At Stanford:
Dave Taht talk at Stanford

--Logan
C-x-C-c