Featured Articles

Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Detecting (Malicious) Unicode in GitHub PRs
Introducing BusKill: A Kill Cord for your Laptop
Hardening Guide for phpList
WordPress Multisite on the Darknet (Mercator .onion alias)
previous arrow
next arrow

New Thumb Drive Encryption Procedure

In this article, I'll describe a procedure for preparing a brand-new USB flash drive for use. First we'll securely erase all the data on the drive, then we'll encrypt the entire drive, and--finally--we'll check the drive for bad blocks.

Ah, remember the good-ole days of spinning disks? When your OS could tell your hard *disk* to shred a specific sector? Like it or not, those days are gone in the land of USB flash volumes.

There's a lot of great reads on the complications of securely erasing data on a USB thumb drive. Unfortunately, a lot of the techniques are not universal to all technologies or manufacturers. Consequently, my approach is more ignorant, straight-forward, and broad (at the risk of causing these cheap usb drives to fail sooner & the process taking longer):

First, I make sure never to write any unencrytped data to the disk Second, when I want to wipe the disk, I fill it entirely with random data

Below are the commands that I use to prepare a new usb drive for my use immediately after purchase. These commands are presented as a rough guide; they're mostly idempotent, but you probably want to copy & paste them
. . . → Read More: New Thumb Drive Encryption Procedure

How to check the Public Key Algorithm used for a given gpg key (ie: RSA vs DSA)

Today I discovered how to validate the Public Key Algorithm that's used for a given gpg key. Unfortunately, it's extremely unintuitive & took quite a bit of digging to figure out how. So I'm leaving this here in hopes it helps someone in their future searches.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: How to check the Public Key Algorithm used for a given gpg key (ie: RSA vs DSA)

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN--and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn't leak DNS; see improvements section

Update 2017-08-25: Added "kill switch" firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN's vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the 'home' wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP--giving a false sense of privacy).

Update 2021-02-01: Fixed GitHub URL of cryptostorm's free OpenVPN configuration file Update 2021-02-14: Fixed GitHub URL of cryptostorm's paid OpenVPN configuration file

Update: I wrote this guide in 2017. It's intended for an audience that has
. . . → Read More: Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

Tor->VPN in TAILS to bypass tor-blocking

This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings).

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Tor->VPN in TAILS to bypass tor-blocking

Eavesdropping Analysis of PGP Metadata

This post attempts to answer the following question: If an evesdropper intercepts a message encrypted with gpg, how much information will they be able to extract from the message without a decryption key?

I will show the unencrypted metadata added to a GPG-encypted message, and I will present commands that can be used to extract this unencrypted metadata.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Eavesdropping Analysis of PGP Metadata

My Search for The Best MP3 Player

I'm going on another cross-country cycling trip this summer, and I'm in the market for a good, solid MP3 player.

Disclaimer: I'm a software guy who likes my devices to be good quality and long lasting. I'm by no means an audiophile, hardware tech, or professional MP3 player reviewer. All of my research was done using Google, and the only MP3 player I've owned is the Sansa e260 v2.

Requirements

Note: These are my personal requirements. They effectively eliminated a *lot* of products in the MP3 market.

1. Rockbox Support

First and foremost, I need rockbox support. Rockbox is a must-have FOSS firmware for MP3 players with a fantastic feature list. You can buy an MP3 player with terrific hardware design, but your experience can be absolutely ruined by poorly designed firmware. My old Sansa e260 was this way, but once I installed rockbox, it was like the device was freed from a software prison. And, of course--another benefit of it being open source--you can completely customize the look+feel of your MP3 player with other user's custom rockbox themes.

Here is a list of MP3 players (targets) and their support status for the Rockbox firmware.

2. Rugged Components that
. . . → Read More: My Search for The Best MP3 Player

Package Manager Search Commands

In a given week, I touch maybe a half dozen different Operating Systems/Distributions. Some are similar to others (centos, rhel), some--not so much (solaris). The common commands are easy enough to remember ( @ls@ vs @dir@ ), but I always forget how to search through each OS's package manager for a software package. For my reference (and perhaps yours?) here's a list for each of the OSs' package managers I use frequently:

yum - RHEL/CentOS

yum list

apt - Debian/Ubuntu

apt-cache search

pacman - Arch

pacman --sync --search pacman -Ss

portage - Gentoo

emerge --search # pkg names only emerge --searchdesc # pkg names & descriptions emerge -S # alias of --searchdesc  

See Also: "Install 'build-essential' on RHEL/CentOS and OpenSolaris":/wp/?p=231

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

Google Chrome in 64-bit Sabayon Linux

I really should be studying for my stat exam tomorrow, but I was logging into my.ucf to download my lecture notes, and while Blackboard Learning System (the really shitty replacement for WebCT) was stuck in an infinite loading loop (most probably caused by incompetent javascript) I decided to finally get Google Chromium (which apparently has an excellent javascript engine) working on my Sabayon Linux desktop.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Google Chrome in 64-bit Sabayon Linux

Rockbox - Sansa e260v2

I bought a cheap, $30 refurbished MP3 player off of woot back in December '08: the
. . . → Read More: Rockbox - Sansa e260v2

xen hung at "Checking for hardware changes"

So, xen is really beginning to piss me off. I turned off all my machines to do a snapshot, and when I tried to bring them back up, they were all in the 'blocked' state. Upon further investigation (using virt-manager/xm console), I found that they were hung at the "Checking for hardware changes" item in their boot process. This could be a CentOS/RHEL 5 issue, but I'm putting my money on xen.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: xen hung at "Checking for hardware changes"