Or how to avoid getting locked-out of another Google Account
This guide will describe how to setup a persistent browser (for Evil Corp) that’s isolated in a sandbox (with firejail) and forced to use a SOCKS5 proxy to retain a static IP address (using proxychains)
Have you ever been locked out of your own account, and then got an email for your service provider annoyingly letting you know that they’ve “blocked a login attempt — for your protection?“
There’s countless reports of frustrated users who have permanently lost access to their own gmail accounts because of Google’s faulty “fraud protection” systems that locked the account owner out of their own account, due to false-positives.
Problem
Especially the past 10 years, large corporations have been using machine learning anomaly detection systems on their login pages. Unfortunately, sometimes this is (ab)used to have priority over credential authentication challenges.
Even if you enter your username, password, and 2FA credentials correctly on the very first login attempt, you may get locked out of your own account because you “look different”
I’m super happy that Techlore invited me on their YouTube channel to talk security and privacy 😀
Henry was mostly interested in my work with BusKill (an open-source dead man switch), but our conversation ran a gamut of issues regarding security and privacy — including
How to mitigate State-sponsored interdiction attacks, minimizing attack surfaces of mobile phones with broadband processors, the threats of AI “identity verification” systems on privacy, and much more
You can watch the full video below
Can’t see video above? Watch it on PeerTube at tehlore.tv or on YouTube at youtu.be/cptk6aBbJpU
Consulting
Want to improve your privacy? I can help you secure your online presence to defend against hackers and surveillance.
Operations Security Training Encrypted Email Secure Messaging Whistleblower Best-Practices Secure Cloud Storage Secure Video Conferencing 1-on-1 Threat Modeling Contact me to schedule a call.
If you’d like to purchase a BusKill cable, click here.
If you’d like to contact me, click here Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
This article will show how to check if a given Onion Service (ie some .onion address) is alive or dead.
Why?
Lots of Onion Services are “here today, gone tomorrow”. If you encountered a large list of Onion Services and want to quickly check to see which are still alive, the best way to do that is by querying the Tor network’s Hidden Service Directory (HSDir).
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
This guide will show you how to generate vector-based topopgraphic maps, for printing very large & high-quality paper wall maps using inkscape. All of the tools used in this guide are free (as in beer).
Intro
I recently volunteered at a Biological Research Station located on the eastern slopes of the Andes mountains. If the skies were clear (which is almost never, as it’s a cloud forest), you would have a great view overlooking the Amazon Rainforest below.
Yanayacu is in a cloud forest on the east slopes of the Andes mountains, just 30 km from the summit of the glacial-capped Antisana volcano (source)
The field station was many years old with some permanent structures and a network of established trails that meandered towards the border of Antisana National Park – a protected area rich with biodiversity that attracts biologists from around the world. At the top of the park is a glacial-capped volcano with a summit at 5,753 meters.
Surprisingly, though Estacion Biologicia Yanayacu was over 30 years old, nobody ever prepared a proper map of their trails. And certainly there was no high-resolution topographical map of the area to be found at the Station.
This article will describe how to download an image from a (docker) container registry.
Intro
Remember the good ‘ol days when you could just download software by visiting a website and click “download”?
Even apt and yum repositories were just simple HTTP servers that you could just curl (or wget) from. Using the package manager was, of course, more secure and convenient — but you could always just download packages manually, if you wanted.
But have you ever tried to curl an image from a container registry, such as docker? Well friends, I have tried. And I have the scars to prove it.
It was a remarkably complex process that took me weeks to figure-out. Lucky you, this article will break it down.
Examples
Specifically, we’ll look at how to download files from two OCI registries.
Docker Hub GitHub Packages Terms
First, here’s some terminology used by OCI
OCI – Open Container Initiative blob – A “blob” in the OCI spec just means a file manifest – A “manifest” in the OCI spec means a list of files Prerequisites
This guide was written in 2024, and it uses the following software and versions:
This article introduces the concept of “3TOFU” — a harm-reduction process when downloading software that cannot be verified cryptographically.
⚠ NOTE: This article is about harm reduction.
It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you’re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.
TOFU
TOFU stands for Trust On First Use. It’s a (often abused) concept of downloading a person or org’s signing key and just blindly trusting it (instead of verifying it).
3TOFU
3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.
Why 3TOFU?
The EFF’s Deep Crack proved DES to be insecure and pushed a switch to 3DES.
During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher — which was a known-vulnerable cipher.
This guide will show you how to generate and view XHProf reports of your WordPress Site.
This is useful so you can drill-down and see exactly how many microseconds each of your scripts and functions (themes & plugins) are running when generating a page — slowing down your website visitors’ page load speed.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
This article will present a few simple website availability monitoring solutions for tor onion services.
Problem
So you’ve just setup an Onion Service for your website, but how often do you actually check that it’s working? Maybe it’s a .onion alias to an existing website, and you usually only check it on the clearnet. What’s to prevent the darknet presence of your website from going down for weeks without you noticing?
Indeed, it’s important to monitor your .onion websites so that you can discover and fix issues before your customers do. But how? Most of the popular uptime monitoring solutions (pingdom, freshping, statuscake, etc) certainly can’t monitor .onion websites.
This guide will enumerate some solutions for monitoring .onion websites, so you get an email alert if your site goes down.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
This article will describe how to point a .onion domain at your existing wordpress sites (on wordpress multisite) so that your website will be accessible both on the clearnet and directly on the darknet via a .onion domain.
Intro
There are numerous security benefits for why millions of people use tor every day. Besides the obvious privacy benefits for journalists, activists, cancer patients, etc — Tor has a fundamentally different approach to encryption (read: it’s more secure).
Instead of using the untrustworthy X.509 PKI model, all connections to a v3 .onion address is made to a single pinned certificate that is directly correlated to the domain itself (the domain is just a hash of the public key + some metadata).
Moreover, some of the most secure operating systems send all the user’s Internet traffic through the Tor network — for the ultimate data security & privacy of its users.
In short, your users are much safer communicating to your site using a .onion domain than its clearnet domain.
For all these reasons, I wanted to make all my wordpress sites directly available to tor users. Unfortunately, I found that it’s not especially easy to point a .onion domain at . . . → Read More: WordPress Multisite on the Darknet (Mercator .onion alias)
This article will describe PGP Certificate Flooding attacks as well as inform the reader
How to detect if you have a poisoned certificate in your keyring, How to identify & clean the poisoned cert, and How to update the configuration to prevent it from importing poisoned certs in the future
Last month, an attacker spammed several high-profile PGP certificates with tens of thousands (or hundreds of thousands) of signatures (CVE-2019-13050) and uploaded these signatures to the SKS keyservers.
Without looking very deep, I quickly stumbled on 4 keys that were attacked last month:
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
