WEGA is now part of Socialcube

WEGA Screenshot

Less than two weeks ago we released the biggest update to Socialcube since it’s launch in late 2014, now we present you another awesome feature:

WEGA is now part of Socialcube

What is WEGA?

WEGA is a simple, DNS based web- and adfiltering solution that can be set up in under 2 minutes and automatically protects your PC or even your whole network from threats or annoyances on the web.

You can set it up easily via Socialcube and select which categories of the web you’d like to block. You can also specify a white- and blacklist so all websites you need will still work.

To celebrate our new milestone, WEGA will be free until 15th of September!

After 15th of September the price of WEGA will depend on the institution type and goes from 15€ per year (for private accounts) to 200€ per year (for educational institutions).
If you haven’t already, create your Socialcube account now.

Why should I use WEGA?

  • It’s easy and fast to set up, check out our Setup guide.
  • There is a filter category for many bad things, including Windows 10 spying features. Just select the “Windows 10 spying” category and your Windows 10 won’t be able to spy on you anymore.
  • It Can protect your devices from ads, malware, botnets and other nasty stuff on the internet.
  • If set up on your home router, all devices in your network will be protected, even smartphones, printers and smart TV’s.
  • WEGA has awesome analytic features so you can keep an eye on the requests your computers make.

Q/A

Q: Can I use it on just one Computer in my home?

A: Absolutely, WEGA can be used by whole networks or individual computers. Just follow the setup guide for the devices you want to use it on.

Q: Can I use it as an Adblocker on my smartphone?

A: Yes! If you select the “Ads and tracking” category, your device will be free of ads. This also means faster page loads and less traffic on your device.

Q: After 15th of September, are there any usage limitations?

A: No, there is no threshold or limit where you are blocked or slowed down as long as it’s not a volume of connections we could consider as an attack on our infrastructure.

Q: Is my data safe?

A: Socialcube was built from the ground up with security and privacy in mind. In our last blog post we explained how we implemented encryption and hashing to protect your data.
Also the data from the webfilter is never on the Socialcube servers and individual users can’t be tracked.

Socialcube 2.0 has landed

Socialcube 2.0 is here

Today we’ve reached a big milestone by releasing Socialcube version 2.0.
We’d like to thank everyone who sent us feedback on how to improve the platform and how to reproduce bugs.
Also you can follow us on Twitter so you won’t miss any updates: https://twitter.com/socialcube_stat

Changelog Socialcube 2.0

New features

  • GradeLink API. This API got much attention in the media and is now finally ready. It allows developers to add Socialcube integration into their apps so they can reward players for academic achievements
  • Added export function for courses (Excel compatible CSV only at the moment)
  • Added institution types (Private, Educational institution, Nonprofit organization, Corporate/Startup). This means also for the first time private users can create a Socialcube account. Parents can use it to reward their kids with XP for house work. [more]
  • Added archiving courses function. Teachers can now archive courses. Archived courses are considered closed, settings can’t be changed, XP can’t be given
  • Added notification system. You can get notifications for events like “received XP”, “student joined course”, etc. configure it on the settings page
  • Added cubes to code and code to cubes function. This allows users to send cubes to one another or to find geocache-like codes which can be converted to cubes
  • Added a new game: Hackits. You can solve Password-riddles and earn Cubes for every solved level
  • Users can now be in multiple institutions. Also users can have different user types in different institutions so a teacher in one institution can be the student in another
  • Teachers can now define individual grading spectrums with detailed percentages for each grade
  • Added grade “Ungraded” for students who’s XP are under the lowest defined grade
  • The language can now be changed via the settings page (only english and german for now)

Updated features

  • Teachers can now select all students when giving XP
  • Added institution log where institution admins can see who joined their institution
  • Added more features for institution admins
  • The alternative xp field is now working properly
  • Teachers can now give XP easier by switching between students with the “TAB” key (added tabindex)
  • The changelog will now be shown via twitter iframe from our official Twitter account
  • Teachers can now set an XP multiplier for each student. This is important for special needs schools and for teachers who want to reward students with “double XP weeks” or similar
  • Added crypto currencies to the Stock game
  • The module Cubes is now an integrated part of Socialcube and can’t be disabled by institution admins anymore
  • Design and font improvements
  • Grading details (XP log and Graphs) are now hidden by default and can be shown with a button click. This makes the grading overview much cleaner for teachers
  • Fixed a bug with the XP bars

Security improvements

  • All uploaded files (eg. pdfs you attach to assignments) are now fully encrypted on our servers and get decrypted just before a user downloads them. After the download the decrypted temp file is deleted. If you choose to delete your user account from Socialcube, part of the decryption key is lost and the file you uploaded won’t be usable by anyone
  • Implemented Bruteforce and SQL injection recognition system (Socialcube IDS). If someone tries to hack your account by bruteforce or SQL injections the server will block these attempts without them realizing
  • Added token-based login system. You can now see which devices are logged in your account and you can revoke tokens. This gives you more control over your account

Upcoming features

  • Achievements
  • Report cards
  • Course export to PDF
  • Penny auction system with cubes
  • LDAP login system
  • eduGAIN login system

Technical info for geeks

  • All passwords in our databases are sha512 hashed and salted with multiple dynamic and static salts
  • We will soon move to a system where storing passwords in our database or on our servers is not necessary anymore
  • The file encryption system for all uploaded files uses AES256
  • We switched from Apache to nginx and had notable performance improvements
  • Socialcube runs now on PHP 7. Until now it ran on PHP 5.4
  • For error reporting and performance measurement we use InfluxDB as a UDP Server wit a Grafana dashboard
  • Socialcube has been reprogrammed to be much more scalable. Frontends now share uploaded data (encrypted) so we can now handle a much heavier load

What’s next?

Not only are we working on the features listed on “Upcoming features” (above) but due to public demand we’ll be also creating tutorials and a help page where you can read about features and learn how to use them.
Our initial goal was to make Socialcube simple enough that it didn’t need a help page but with every update we get new awesome features and we don’t want our users to be overwhelmed.

We need your help making Socialcube even better

If you found a bug or have a wish for a feature, you can report it here.

Thanks to everyone who helped making this release possible and giving us hints on how to improve the platform!

Enjoy this video animation of 600 days of coding with 259 commits

Austrian password mentality

word cloud of most occuring password parts

The LinedIn hack was a big catastrophy not only to LinkedIn. Since the site failed to salt their passwords, all weak passwords must be considered compromised.

Check if your email address was in the leak: LinkedIn LeakChecker

What does the hack mean for Austrians and their passwords?

Hard facts

  • There were 105.386 accounts with an email address that ended in .at
  • In the datadump there were 76.344 sha1-hashed passwords from those accounts
  • 42.980 (67%) of these passwords can be cracked in under 1 hour on consumer hardware
  • 1.011 accounts were government accounts (ending with gv.at). This includes military
  • 13.239 of the compromised accounts were GMX addresses
  • LinkedIn didn’t salt the passwords. This fact makes this leak much more dangerous

Where do these accounts come from?

When we look at the email providers we can see GMX as the most common provider for people with weak passwords with 13239 accounts.

Provider graph

Let’s look a little closer at the passwords

These (partial) words and numbers are in most passwords

In detail here the most common passwords and how many times they were found in the leak. Be aware that these are just from the 42.000 weak passwords in the database. The real good passwords don’t show up here.
Most common passwords

So the most used passwords were:

  • 123456
  • linkedin
  • michael
  • 111111

The most common passwords by austrian accounts as a round dendrogram.
round dendrogram of the most common passwords

Where do we go from here

Since 67% of the analyzed passwords can be considered as weak passwords we have to ask ourselves what are good passwords.

According to Edward Snowden, phrases are good passwords:

Or you can make the XKCD approach:
XKCD on password strength

If your password is something that can be found in a dictionary or only consists of numbers: Change it and never use the old one again