Featured Articles

WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Crowdfunding on Crowd Supply (Review of my experience)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
WordPress Multisite on the Darknet (Mercator .onion alias)
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Detecting (Malicious) Unicode in GitHub PRs
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Hardening Guide for phpList
Introducing BusKill: A Kill Cord for your Laptop
previous arrow
next arrow

Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

Nightmare on Lemmy "A Fediverse GDPR Horror Story"

This article will describe how lemmy instance admins can purge images from pict-rs (click here if you just want to know how).

This is (also) a horror story about accidentally uploading very sensitive data to Lemmy, and the (surprisingly) difficult task of deleting it.

Intro

tl;dr I (accidentally) uploaded a photo of my State-issued ID to Lemmy, and I couldn’t delete it.

Friends don’t let friends compose jerboa comments in bed before coffee (@theyshane)

A few weeks ago I woke up to my 06:00 AM alarm, snoozed my phone, rubbed my eyes, and started reading /c/worldnews (on Lemmy).

Still half-asleep, I was typing a comment when my thumb accidentally hit the “upload media” button. Up popped a gallery of images. I tried to click the back button, but I missed. I tapped on a photo. The photo that I tapped-on was a KYC selfie image (that I took the previous day for a service that has no business having such PII anyway).

That was all it took — two consecutive mis-taps while half-asleep in bed, and my dumb-ass just inadvertently uploaded a KYC selfie onto the public internet. And thanks to archaic State authentication systems, anyone with
. . . → Read More: Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)

Verifying Boot Integrity with Heads, PureBoot

This post will help to provide historical context and demystify what’s under the hood of Heads, PureBoot, and other tools to provide Trusted Boot.

I will not be presenting anything new in this article; I merely hope to provide a historical timeline and a curated list of resources.

Intro

The Librem Key cryptographically verifies the system’s integrity and flashes red if it’s detected tampering

I’ve always felt bad about two things:

Because I run QubesOS, I usually disable “Secure Boot” on my laptop I travel a lot, and I don’t have a good way to verify the integrity of my laptop (eg from an Evil Maid that gains physical access to my computer)

To address this, I have turned to Heads and PureBoot — a collection of technologies including an open-source firmware/BIOS, TPM, and a USB security key that can cryptographically verify the integrity of the lowest firmware (and up the chain to the OS).

While Purism has written many articles about PureBoot and has some (minimal) documentation, I found they did a lot of hand waving without explaining how the technology works (what the hell is a “BIOS measurement”?). So I spent a great deal of
. . . → Read More: Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)

Crowdfunding on Crowd Supply (Review of my experience)

Crowd Supply Review - My experience crowdfunding $18,507 in open-source security hardware

In 2021, I raised $18,507 on CrowdSupply to manufacture and sell the BusKill cable. This article will review my experience working with Crowd Supply.

Introduction

So you have a great idea for a cool product, but you’re not sure how to scrap up the necessary funds to ramp-up production and sell it? If you’re a traditional capitalist then you’d be considering financing your new entrepreneurial venture through loans or venture capital.

But you’re not a capitalist. You want to avoid the fat cats draining equity from your hard labor. Your idea is so cool, why not try your hand at crowdfunding direct from your soon-to-be customers?

Why Crowd Supply?

The first place I looked was Kickstarter. But I did some googling, and I saw so many people complain that they backed a project on kickstarter and never received anything from the creator. In fact, Kickstarter’s own Fulfillment Report says that 9% of all their projects fail to deliver.

And, especially in the computer security department, if anyone with half a brain scans through the projects on kickstarter, even the ones that raise $1 million scream SCAM! Either their promises are unrealistic, they clearly have no idea what they’re talking
. . . → Read More: Crowdfunding on Crowd Supply (Review of my experience)

Monitoring Tor .onion Websites (uptime alerts)

Uptime Monitoring of Tor .onion Websites

This article will present a few simple website availability monitoring solutions for tor onion services.

Problem

So you’ve just setup an Onion Service for your website, but how often do you actually check that it’s working? Maybe it’s a .onion alias to an existing website, and you usually only check it on the clearnet. What’s to prevent the darknet presence of your website from going down for weeks without you noticing?

Indeed, it’s important to monitor your .onion websites so that you can discover and fix issues before your customers do. But how? Most of the popular uptime monitoring solutions (pingdom, freshping, statuscake, etc) certainly can’t monitor .onion websites.

This guide will enumerate some solutions for monitoring .onion websites, so you get an email alert if your site goes down.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Monitoring Tor .onion Websites (uptime alerts)

WordPress Multisite on the Darknet (Mercator .onion alias)

How to use a .onion with Wordpress Multisite

This article will describe how to point a .onion domain at your existing wordpress sites (on wordpress multisite) so that your website will be accessible both on the clearnet and directly on the darknet via a .onion domain.

Intro

There are numerous security benefits for why millions of people use tor every day. Besides the obvious privacy benefits for journalists, activists, cancer patients, etc — Tor has a fundamentally different approach to encryption (read: it’s more secure).

Instead of using the untrustworthy X.509 PKI model, all connections to a v3 .onion address is made to a single pinned certificate that is directly correlated to the domain itself (the domain is just a hash of the public key + some metadata).

Moreover, some of the most secure operating systems send all the user’s Internet traffic through the Tor network — for the ultimate data security & privacy of its users.

In short, your users are much safer communicating to your site using a .onion domain than its clearnet domain.

For all these reasons, I wanted to make all my wordpress sites directly available to tor users. Unfortunately, I found that it’s not especially easy to point a .onion domain at
. . . → Read More: WordPress Multisite on the Darknet (Mercator .onion alias)

We’re on the Darknet! Visit this site at our tor .onion

Visit this site on our .onion

This website is now accessible on the darknet. And how!

Why

Fun fact: the most popular website on the darknet is facebook. There are hundreds of other popular sites on the darknet, including debian, the CIA, the NYT, the BBC, ProPublica, and–now–michaelaltfield.net.

michaelahgu3sqef5yz3u242nok2uczduq5oxqfkwq646tvjhdnl35id.onion

michaelahgu 3sqef5yz3u2 42nok2uczdu q5oxqfkwq64 6tvjhdnl35i     d.onion

All of these organizations chose to make their websites available over .onion addresses so their website will be accessible from millions of daily tor users without leaving the darknet. Besides the obvious privacy benefits for journalists, activists, cancer patients, etc — Tor has a fundamentally different approach to encryption (read: it’s more secure).

Instead of using the untrustworthy X.509 PKI model, all connections to a v3 .onion address is made to a single pinned certificate that is directly correlated to the domain itself (the domain is just a hash of the public key + some metadata).

Moreover, some of the most secure operating systems send all the user’s Internet traffic through the Tor network — for the ultimate data security & privacy of its users.

In short, your users are much safer communicating to your site using a .onion domain than its clearnet domain.

For all these reasons, I
. . . → Read More: We’re on the Darknet! Visit this site at our tor .onion

Introducing BusKill: A Kill Cord for your Laptop

Bus Kill: A USB Kill Cord for your Laptop

This post will introduce a simple udev rule and ~$20 in USB hardware that effectively implements a kill cord Dead Man Switch to trigger your machine to self-destruct in the event that you’re kicked out of the helm position.

Rubber Ducky I <3 you; you make hack time lots of fun!

Let’s consider a scenario: You’re at a public location (let’s say a cafe) while necessarily authenticated into some super important service (let’s say online banking). But what if–after you’ve carefully authenticated–someone snatch-and-runs with your laptop?

Maybe you can call your bank to freeze your accounts before they’ve done significant financial harm. Maybe you can’t.

Or maybe your laptop was connected to your work VPN. In less than 60 seconds and with the help of a rubber ducky, the thief could literally cause millions of dollars in damages to your organization.

Surely there must be some solution to trigger your computer to lock, shutdown, or self-destruct when it’s physically separated from you! There is: I call it BusKill.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Introducing BusKill: A Kill Cord for your Laptop

Mitigating Poisoned PGP Certificates (CVE-2019-13050)

Cert Flooding Featured Image

This article will describe PGP Certificate Flooding attacks as well as inform the reader

How to detect if you have a poisoned certificate in your keyring, How to identify & clean the poisoned cert, and How to update the configuration to prevent it from importing poisoned certs in the future

Last month, an attacker spammed several high-profile PGP certificates with tens of thousands (or hundreds of thousands) of signatures (CVE-2019-13050) and uploaded these signatures to the SKS keyservers.

Without looking very deep, I quickly stumbled on 4 keys that were attacked last month:

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Mitigating Poisoned PGP Certificates (CVE-2019-13050)

Ephemeral Firefox as a Site-Specific Browser (3/3)

Site-Specific Ephemeral Firefox featured image showing a firewall between the facebook and firefox icons

This article is a part 3/3 of a series describing how to setup an Ephemeral Firefox session as a Site-Specific Browser. The ultimate goal is to be able to have a self-destructing browsing session that can only access a single company’s services, such as Google or Facebook.

Part 1/3: Ephemeral Firefox in Ubuntu Part 2/3: Ephemeral Firefox with Extensions Part 3/3: Ephemeral Firefox as a Site-Specific Browser

After setting up the Site-Specific Ephemeral Firefox Browser, you can then blacklist services designated to your Site-Specific browser(s) (such as Google or Facebook) from your main browser. This significantly improves your ability to browse the internet without your activity being tracked by these companies — leaving your sensitive data vulnerable to being stolen by hackers.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Ephemeral Firefox as a Site-Specific Browser (3/3)

Ephemeral Firefox with Extensions (2/3)

icon of ephemeral firefox with icons of popular extensions below it

I recently posted about how to create a sandboxed firefox profile to compartmentalize (and shred) your firefox browsing history in an Ephemeral Firefox session. But so far I’ve only covered how to create a simple vanilla firefox profile. What if you want your Ephemeral Firefox to include a few basic extensions?

This post will cover how to add extensions to your Ephemeral Firefox profile.

Part 1/3: Ephemeral Firefox in Ubuntu Part 2/3: Ephemeral Firefox with Extensions Part 3/3: Ephemeral Firefox as a Site-Specific Browser Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Ephemeral Firefox with Extensions (2/3)