Featured Articles

WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Crowdfunding on Crowd Supply (Review of my experience)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
WordPress Multisite on the Darknet (Mercator .onion alias)
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Detecting (Malicious) Unicode in GitHub PRs
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Hardening Guide for phpList
Introducing BusKill: A Kill Cord for your Laptop
previous arrow
next arrow

Ephemeral Firefox as a Site-Specific Browser (3/3)

Site-Specific Ephemeral Firefox featured image showing a firewall between the facebook and firefox icons

This article is a part 3/3 of a series describing how to setup an Ephemeral Firefox session as a Site-Specific Browser. The ultimate goal is to be able to have a self-destructing browsing session that can only access a single company’s services, such as Google or Facebook.

Part 1/3: Ephemeral Firefox in Ubuntu Part 2/3: Ephemeral Firefox with Extensions Part 3/3: Ephemeral Firefox as a Site-Specific Browser

After setting up the Site-Specific Ephemeral Firefox Browser, you can then blacklist services designated to your Site-Specific browser(s) (such as Google or Facebook) from your main browser. This significantly improves your ability to browse the internet without your activity being tracked by these companies — leaving your sensitive data vulnerable to being stolen by hackers.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Ephemeral Firefox as a Site-Specific Browser (3/3)

Bypassing Check Point firewall DPI Tor-blocking

This article will describe how to bypass censorship from within any network that uses firewalls using Deep Packet Inspection (DPI) built by the Israeli software company Check Point Software Technologies Ltd, such as is being used by the Miami-Dade’s Public Library System to censor on their public wifi.

I’ve been very fortunate to live in a country where freedom of speech is a well-protected human right and censorship is generally unaccepted. But, I’ve long been aware that many States prefer to assert their control over their citizens by controlling their available information. One of the shining achievements from the Tor Project is a system that allows these unfortunate souls to be able to bypass these censors and access the unfettered Internet. Indeed, the UN affirmed that a State’s attempt to prevent or disrupt dissemination of information online is a violation of international human rights law, as defined by article 19 of the Universal Declaration of Human Rights.

Of course, many States today continue to ban access to the Tor network. In response, Tor provided hidden entry-points called bridge relays that are harder to block. In response to Tor bridges, States purchased firewalls from companies like Check Point to analyze the
. . . → Read More: Bypassing Check Point firewall DPI Tor-blocking

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN–and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn’t leak DNS; see improvements section

Update 2017-08-25: Added “kill switch” firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN’s vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the ‘home’ wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP–giving a false sense of privacy).

Update 2021-02-01: Fixed GitHub URL of cryptostorm’s free OpenVPN configuration file Update 2021-02-14: Fixed GitHub URL of cryptostorm’s paid OpenVPN configuration file

Update: I wrote this guide in 2017. It’s intended for an audience that has
. . . → Read More: Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

Tor->VPN in TAILS to bypass tor-blocking

This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings).

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Tor->VPN in TAILS to bypass tor-blocking

pycurl through Tor without leaking DNS lookups

This article describes the correct way to use pycurl over Tor, such that both DNS lookup data and HTTP(S) traffic is sent through Tor’s SOCKS5 proxy.

If you google “pycurl tor”, one of the first results is a stackoverflow post that describes how to configure pycurl using the pycurl.PROXYTYPE_SOCKS5 setting. Indeed, even the tutorial To Russia With Love on the Tor Project’s Official Website describes how to pass pycurl through Tor using the pycurl.PROXYTYPE_SOCKS5 setting.

However, using pycurl.PROXYTYPE_SOCKS5 will leak DNS queries associated with your HTTP requests outside of the Tor network! Instead you should use pycurl.PROXYTYPE_SOCKS5_HOSTNAME.

The –socks5-hostname argument was added to libcurl v7.26.0. The pycurl.PROXYTYPE_SOCKS5_HOSTNAME argument wasn’t added to pycurl until pycurl v7.19.5.1, which (at the time of writing) was less than 2 months ago!

This article will describe how to install pycurl v7.19.5.1 onto the latest version of TAILS at the time of writing, which is TAILS v1.2.3.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: pycurl through Tor without leaking DNS lookups

Resolved: OpenVPN

Jesus. It’s only the second week of school and I’ve already pulled my first all-nighter. This time, however, it was not for school. I was determined to get my OpenVPN server properly setup so that I could finally browse the web securely from the dorms. I only expected this to take a few minutes, but I ended up spending over 7 hours of research, troubleshooting, and configuration changes.

This post will contain a slew of information about smoothwall, zerina, openvpn, and iptables. I’m mostly just going to throw all of my findings here without much of any logical flow.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Resolved: OpenVPN

Smoothwall Update

A few weeks ago, I finally got around to downloading and installing 4 updates to my smoothwall box. Unlike Ubuntu upgrades, this process was farily painless except for one thing: my Zerina OpenVPN ‘plugin’ broke.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Smoothwall Update

Smooth Wall

I’ve wanted to setup a serious linux-based firewall for my home network for some time now, and I finally got around to it yesterday.

There are TON of linux router distros out there, but instead of spending 8 hours picking & choosing, comparing & contrasting, nitpicking & debating, I asked someone else ;). Two buddies of mine have a similar setup at their homes: one uses Smooth Wall; one uses IPCop. I arbitrarily chose Smooth Wall (after actually setting it up, though, I think IPCop would have been a better choice–c’est la vie.

The installation is supposed to be quite painless, and it was–for the most part. The documentation and install process was intuitive and easy to follow, but it didn’t work OOTB. I probably only had so much difficulty because of hardware issues (fried NICs?) which is by no means Smooth Wall’s fault. Nevertheless, it took ~5 hours of bang-your-head-against-the-table troubleshooting ’till I could finally unhook the monitor & keyboard, shove it in a corner, and get some sleep.

I was also disappointed with two things that didn’t work as I had expected OOTB:

DHCP DNS VPN Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and
. . . → Read More: Smooth Wall