Featured Articles

Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
WordPress Multisite on the Darknet (Mercator .onion alias)
Hardening Guide for phpList
Introducing BusKill: A Kill Cord for your Laptop
previous arrow
next arrow

WordPress Multisite on the Darknet (Mercator .onion alias)

How to use a .onion with Wordpress Multisite

This article will describe how to point a .onion domain at your existing wordpress sites (on wordpress multisite) so that your website will be accessible both on the clearnet and directly on the darknet via a .onion domain.

Intro

There are numerous security benefits for why millions of people use tor every day. Besides the obvious privacy benefits for journalists, activists, cancer patients, etc -- Tor has a fundamentally different approach to encryption (read: it's more secure).

Instead of using the untrustworthy X.509 PKI model, all connections to a v3 .onion address is made to a single pinned certificate that is directly correlated to the domain itself (the domain is just a hash of the public key + some metadata).

Moreover, some of the most secure operating systems send all the user's Internet traffic through the Tor network -- for the ultimate data security & privacy of its users.

In short, your users are much safer communicating to your site using a .onion domain than its clearnet domain.

For all these reasons, I wanted to make all my wordpress sites directly available to tor users. Unfortunately, I found that it's not especially easy to point a .onion domain at
. . . → Read More: WordPress Multisite on the Darknet (Mercator .onion alias)

Continuous Documentation: Hosting Read the Docs on GitHub Pages (1/2)

Continuous Documentation with Read the Docs (1/2)

This post will describe how to host a sphinx-powered site (using the Read the Docs theme) on your own GitHub Pages site, built with GitHub's free CI/CD tools.

ⓘ Note: If you don't care about how this works and you just want to make a functional repo, you can just fork my 'rtd-github-pages' GitHub repo.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Continuous Documentation: Hosting Read the Docs on GitHub Pages (1/2)

Introducing Coviz.org

Projected Future Spread of COVID-10 on Earth (e2a Apr 07)

I woke up on April 2nd to discover that over 1 million people on earth had tested positive for coronavirus. "I couldn't find a website that was extrapolating the COVID-19 dataset, so I decided to build one"

It took over 4 months for COVID-19 to hit 1 million world-wide, and the graph was showing a horrifying exponential growth of cases. When I saw this, a question popped-into my head: when will it hit 2 million? (spoiler: it took only 13 days to go from 1 million to 2 million)

When will it infect 4 million? 8 million? 100 million? 1 billion? 50% of the population on Earth?

I searched-and-searched, but I couldn't find a website that was extrapolating the COVID-19 dataset daily to predict the future spread of the virus, so I decided to build one myself.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Introducing Coviz.org

Hardening Guide for phpList

phpList Hardening Guide Featured Image

This post will outline recommended steps to harden phpList after install to make it reasonably secure.

phpList is the most popular open-source software for managing mailing lists. Like wordpress, they have a phplist.com for paid hosting services and phplist.org for free self-hosting.

Earlier this week, it was announced that phpList had a critical security vulnerability permitting an attacker to bypass authentication and login as an administrator using an incorrect & carefully-crafted password in some cases. This bug is a result of the fact that [a] PHP is a loosely typed language and [b] the phpList team was using the '==' operator to test for equality of the user's hashed password against the DB. This security pitfall has been known in PHP since at least 2010 (a decade ago!), but I'm sure the same mistake will be made again..

Indeed, security is porous. There's no such thing as 100% vulnerability-free code, and phpList is no exception. But if we're careful in adding layers of security to our infrastructure, then we might be able to protect ourselves from certain 0-days.

That said, here's my recommended steps to making your phpList install reasonably secure.

Michael Altfield

Hi, I’m Michael Altfield. I write articles
. . . → Read More: Hardening Guide for phpList

Ephemeral Firefox as a Site-Specific Browser (3/3)

Site-Specific Ephemeral Firefox featured image showing a firewall between the facebook and firefox icons

This article is a part 3/3 of a series describing how to setup an Ephemeral Firefox session as a Site-Specific Browser. The ultimate goal is to be able to have a self-destructing browsing session that can only access a single company's services, such as Google or Facebook.

Part 1/3: Ephemeral Firefox in Ubuntu Part 2/3: Ephemeral Firefox with Extensions Part 3/3: Ephemeral Firefox as a Site-Specific Browser

After setting up the Site-Specific Ephemeral Firefox Browser, you can then blacklist services designated to your Site-Specific browser(s) (such as Google or Facebook) from your main browser. This significantly improves your ability to browse the internet without your activity being tracked by these companies -- leaving your sensitive data vulnerable to being stolen by hackers.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Ephemeral Firefox as a Site-Specific Browser (3/3)

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN--and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn't leak DNS; see improvements section

Update 2017-08-25: Added "kill switch" firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN's vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the 'home' wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP--giving a false sense of privacy).

Update 2021-02-01: Fixed GitHub URL of cryptostorm's free OpenVPN configuration file Update 2021-02-14: Fixed GitHub URL of cryptostorm's paid OpenVPN configuration file

Update: I wrote this guide in 2017. It's intended for an audience that has
. . . → Read More: Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

Custom Synapse Shortcuts

I've been using Synapse for a few months now. This software is invaluable to my experience on my PC because: # I can *quickly* do what I want to do without fighting with a big, hierarchaial menu # It doesn't require any huge dependencies (I use XFCE, so I don't want something that requires Gnome or KDE libraries)

Unfortunately, the documentation is non-existant. So when I wanted to be able to configure Synapse to execute a custom command when I typed a custom keyword, it took me a while to figure it out.

This post explains how to define custom commands in Synapse to execute custom commands in your terminal. For example, I'll show how to make "Google Drive" open a firefox window to https://drive.google.com

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Custom Synapse Shortcuts

Package Manager Search Commands

In a given week, I touch maybe a half dozen different Operating Systems/Distributions. Some are similar to others (centos, rhel), some--not so much (solaris). The common commands are easy enough to remember ( @ls@ vs @dir@ ), but I always forget how to search through each OS's package manager for a software package. For my reference (and perhaps yours?) here's a list for each of the OSs' package managers I use frequently:

yum - RHEL/CentOS

yum list

apt - Debian/Ubuntu

apt-cache search

pacman - Arch

pacman --sync --search pacman -Ss

portage - Gentoo

emerge --search # pkg names only emerge --searchdesc # pkg names & descriptions emerge -S # alias of --searchdesc  

See Also: "Install 'build-essential' on RHEL/CentOS and OpenSolaris":/wp/?p=231

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

Install "build-essential" on RHEL/CentOS and OpenSolaris

Debian

If you want to be able to compile packages in debain/ubunutu, you can issue the following command:

apt-get install build-essential

 

Red Hat

If you want to be able to compile packages in red hat/centos, you can issue the following command:

yum install make gcc gcc-c++ kernel-devel

...or, if you don't care about maintaining a small footprint, you can get *all* of the development packages (including X devs--eww):

yum groupinstall "Development Tools"

 

Open Solaris

If you want to be able to compile packages in open solaris, you can issue the following command:

pkg install SUNWgcc Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/