Featured Articles

Hardening Guide for phpList
Detecting (Malicious) Unicode in GitHub PRs
WordPress Multisite on the Darknet (Mercator .onion alias)
Introducing BusKill: A Kill Cord for your Laptop
WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Crowdfunding on Crowd Supply (Review of my experience)
previous arrow
next arrow
Michael Altfield's gravatar

Make Vector Topographic Maps (Open Street Map, Maperitive, and Inkscape)

How-to Guide to Making Vector Topo Maps with Maperitive and Inkscape

This guide will show you how to generate vector-based topopgraphic maps, for printing very large & high-quality paper wall maps using inkscape. All of the tools used in this guide are free (as in beer).

Intro

I recently volunteered at a Biological Research Station located on the eastern slopes of the Andes mountains. If the skies were clear (which is almost never, as it’s a cloud forest), you would have a great view overlooking the Amazon Rainforest below.

Yanayacu is in a cloud forest on the east slopes of the Andes mountains, just 30 km from the summit of the glacial-capped Antisana volcano (source)

The field station was many years old with some permanent structures and a network of established trails that meandered towards the border of Antisana National Park – a protected area rich with biodiversity that attracts biologists from around the world. At the top of the park is a glacial-capped volcano with a summit at 5,753 meters.

Surprisingly, though Estacion Biologicia Yanayacu was over 30 years old, nobody ever prepared a proper map of their trails. And certainly there was no high-resolution topographical map of the area to be found at the Station.

That
. . . → Read More: Make Vector Topographic Maps (Open Street Map, Maperitive, and Inkscape)

Michael Altfield's gravatar

Manually Downloading Container Images (Docker, Github Packages)

This article will describe how to download an image from a (docker) container registry.

Intro

Remember the good ‘ol days when you could just download software by visiting a website and click “download”?

Even apt and yum repositories were just simple HTTP servers that you could just curl (or wget) from. Using the package manager was, of course, more secure and convenient — but you could always just download packages manually, if you wanted.

But have you ever tried to curl an image from a container registry, such as docker? Well friends, I have tried. And I have the scars to prove it.

It was a remarkably complex process that took me weeks to figure-out. Lucky you, this article will break it down.

Examples

Specifically, we’ll look at how to download files from two OCI registries.

Docker Hub GitHub Packages Terms

First, here’s some terminology used by OCI

OCI – Open Container Initiative blob – A “blob” in the OCI spec just means a file manifest – A “manifest” in the OCI spec means a list of files Prerequisites

This guide was written in 2024, and it uses the following software and versions:

debian 12 (bookworm) curl 7.88.1 OCI
. . . → Read More: Manually Downloading Container Images (Docker, Github Packages)

Michael Altfield's gravatar

3TOFU: Verifying Unsigned Releases

Verifying Unsigned Releases with 3TOFU

This article introduces the concept of “3TOFU” — a harm-reduction process when downloading software that cannot be verified cryptographically.

⚠ NOTE: This article is about harm reduction.

It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you’re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

TOFU

TOFU stands for Trust On First Use. It’s a (often abused) concept of downloading a person or org’s signing key and just blindly trusting it (instead of verifying it).

3TOFU

3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.

Why 3TOFU?

The EFF’s Deep Crack proved DES to be insecure and pushed a switch to 3DES.

During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher — which was a known-vulnerable cipher.

But there
. . . → Read More: 3TOFU: Verifying Unsigned Releases

Michael Altfield's gravatar

Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

Nightmare on Lemmy "A Fediverse GDPR Horror Story"

This article will describe how lemmy instance admins can purge images from pict-rs (click here if you just want to know how).

This is (also) a horror story about accidentally uploading very sensitive data to Lemmy, and the (surprisingly) difficult task of deleting it.

Intro

tl;dr I (accidentally) uploaded a photo of my State-issued ID to Lemmy, and I couldn’t delete it.

Friends don’t let friends compose jerboa comments in bed before coffee (@theyshane)

A few weeks ago I woke up to my 06:00 AM alarm, snoozed my phone, rubbed my eyes, and started reading /c/worldnews (on Lemmy).

Still half-asleep, I was typing a comment when my thumb accidentally hit the “upload media” button. Up popped a gallery of images. I tried to click the back button, but I missed. I tapped on a photo. The photo that I tapped-on was a KYC selfie image (that I took the previous day for a service that has no business having such PII anyway).

That was all it took — two consecutive mis-taps while half-asleep in bed, and my dumb-ass just inadvertently uploaded a KYC selfie onto the public internet. And thanks to archaic State authentication systems, anyone with
. . . → Read More: Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

Michael Altfield's gravatar

Guide to Finding Lemmy Communities (Subreddits)

How To Find Lemmy Communities

This article will show reddit refugees how to easily search-for and subscribe-to to popular lemmy subreddits communities across all lemmy instances.

tl;dr use the Lemmy Community Browser https://browse.feddit.de/ Intro

Lemmy is a federated reddit alternative that started in 2019. Thanks to funding from NLNet, Open Collective, Patreon, and Librapay, the project has two full-time developers.

Unlike Reddit, all of Lemmy’s code is open-source under the AGPL.

Context

In 2008, Reddit launched an API that allowed third-party clients to use Reddit. This API has been free for 14 years.

In April 2023, Reddit announced that they would begin charging for use of their API, starting just 3-months later. This made headlines when one developer calculated that reddit’s proposed fee structure would cost them $20 million per year. As a result, most popular reddit apps including Apollo, RIF, ReddPlanet, and Sync are all shutting down in July.

In protest, hundreds thousands of subreddits are participating in a reddit blackout on June 12th.

At the time of writing, all the apps still work and protest hasn’t even started yet, but already thousands of reddit refugees have flocked to lemmy — at a rate of about 2,000 new users per day. And because
. . . → Read More: Guide to Finding Lemmy Communities (Subreddits)

Michael Altfield's gravatar

Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)

Verifying Boot Integrity with Heads, PureBoot

This post will help to provide historical context and demystify what’s under the hood of Heads, PureBoot, and other tools to provide Trusted Boot.

I will not be presenting anything new in this article; I merely hope to provide a historical timeline and a curated list of resources.

Intro

The Librem Key cryptographically verifies the system’s integrity and flashes red if it’s detected tampering

I’ve always felt bad about two things:

Because I run QubesOS, I usually disable “Secure Boot” on my laptop I travel a lot, and I don’t have a good way to verify the integrity of my laptop (eg from an Evil Maid that gains physical access to my computer)

To address this, I have turned to Heads and PureBoot — a collection of technologies including an open-source firmware/BIOS, TPM, and a USB security key that can cryptographically verify the integrity of the lowest firmware (and up the chain to the OS).

While Purism has written many articles about PureBoot and has some (minimal) documentation, I found they did a lot of hand waving without explaining how the technology works (what the hell is a “BIOS measurement”?). So I spent a great deal of
. . . → Read More: Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)

Michael Altfield's gravatar

Crowdfunding on Crowd Supply (Review of my experience)

Crowd Supply Review - My experience crowdfunding $18,507 in open-source security hardware

In 2021, I raised $18,507 on CrowdSupply to manufacture and sell the BusKill cable. This article will review my experience working with Crowd Supply.

Introduction

So you have a great idea for a cool product, but you’re not sure how to scrap up the necessary funds to ramp-up production and sell it? If you’re a traditional capitalist then you’d be considering financing your new entrepreneurial venture through loans or venture capital.

But you’re not a capitalist. You want to avoid the fat cats draining equity from your hard labor. Your idea is so cool, why not try your hand at crowdfunding direct from your soon-to-be customers?

Why Crowd Supply?

The first place I looked was Kickstarter. But I did some googling, and I saw so many people complain that they backed a project on kickstarter and never received anything from the creator. In fact, Kickstarter’s own Fulfillment Report says that 9% of all their projects fail to deliver.

And, especially in the computer security department, if anyone with half a brain scans through the projects on kickstarter, even the ones that raise $1 million scream SCAM! Either their promises are unrealistic, they clearly have no idea what they’re talking
. . . → Read More: Crowdfunding on Crowd Supply (Review of my experience)

Michael Altfield's gravatar

WordPress Profiling with XHProf (Debugging & Optimizing Speed)

Debugging & Optimizing Wordpress Speed with XHProf

This guide will show you how to generate and view XHProf reports of your WordPress Site.

This is useful so you can drill-down and see exactly how many microseconds each of your scripts and functions (themes & plugins) are running when generating a page — slowing down your website visitors’ page load speed.


. . . → Read More: WordPress Profiling with XHProf (Debugging & Optimizing Speed)

Michael Altfield's gravatar

Detecting (Malicious) Unicode in GitHub PRs

Detecting Malicious Unicode in GitHub Pull Requests

This article will describe how you can utilize GitHub Actions to scan user-contributed PRs for unicode and automatically warn you if such commits contain (potentially invisible & malicious) unicode characters.

Why

Last month Trojan Source was published — which described how malicious unicode characters could make source code appear benign, yet compile to something quite malicious.


. . . → Read More: Detecting (Malicious) Unicode in GitHub PRs

Michael Altfield's gravatar

Monitoring Tor .onion Websites (uptime alerts)

Uptime Monitoring of Tor .onion Websites

This article will present a few simple website availability monitoring solutions for tor onion services.

Problem

So you’ve just setup an Onion Service for your website, but how often do you actually check that it’s working? Maybe it’s a .onion alias to an existing website, and you usually only check it on the clearnet. What’s to prevent the darknet presence of your website from going down for weeks without you noticing?

Indeed, it’s important to monitor your .onion websites so that you can discover and fix issues before your customers do. But how? Most of the popular uptime monitoring solutions (pingdom, freshping, statuscake, etc) certainly can’t monitor .onion websites.

This guide will enumerate some solutions for monitoring .onion websites, so you get an email alert if your site goes down.


. . . → Read More: Monitoring Tor .onion Websites (uptime alerts)