|
||||
Featured Articles      This post will describe how to detect if your network is blocking outgoing ports. In this test, we'll be using nmap and the fine website portquiz.net Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael 
This article will introduce a tool to detect censorship or network tampering using the Open Observatory of Network Interference (OONI) android app, which is part of the Tor Project. The OONI project's mission is to collect data on network providers to determine where the Internet is free and where it's being manipulated. For example, the OONI Explorer displays a world map of such data. On the OONI explorer, you can drill-down on the world map into a specific country to get a list of websites that were detected as being blocked from within that country. For example, when I looked at the history of OONI probe runs within the US, I saw a list of the usual suspects: gambling sites, pornography sites, torrenting sites, etc. More surprising (at least to me) was the number of pastebin sites that were banned. And, despicably, there was a network in the US blocking The Internet Archive When I looked at the data from scans within another great "free country" = India, I saw a lot of cherry-picked censorship on facebook and news articles as it relates to the 2017 genocide of Rohingya Refugees in Burma and various muslim/hindu conflicts. Anyone This article will describe how to bypass censorship from within any network that uses firewalls using Deep Packet Inspection (DPI) built by the Israeli software company Check Point Software Technologies Ltd, such as is being used by the Miami-Dade's Public Library System to censor on their public wifi. I've been very fortunate to live in a country where freedom of speech is a well-protected human right and censorship is generally unaccepted. But, I've long been aware that many States prefer to assert their control over their citizens by controlling their available information. One of the shining achievements from the Tor Project is a system that allows these unfortunate souls to be able to bypass these censors and access the unfettered Internet. Indeed, the UN affirmed that a State's attempt to prevent or disrupt dissemination of information online is a violation of international human rights law, as defined by article 19 of the Universal Declaration of Human Rights. Of course, many States today continue to ban access to the Tor network. In response, Tor provided hidden entry-points called bridge relays that are harder to block. In response to Tor bridges, States purchased firewalls from companies like Check Point to analyze the In this article, I'll describe a procedure for preparing a brand-new USB flash drive for use. First we'll securely erase all the data on the drive, then we'll encrypt the entire drive, and--finally--we'll check the drive for bad blocks. Ah, remember the good-ole days of spinning disks? When your OS could tell your hard *disk* to shred a specific sector? Like it or not, those days are gone in the land of USB flash volumes. There's a lot of great reads on the complications of securely erasing data on a USB thumb drive. Unfortunately, a lot of the techniques are not universal to all technologies or manufacturers. Consequently, my approach is more ignorant, straight-forward, and broad (at the risk of causing these cheap usb drives to fail sooner & the process taking longer): First, I make sure never to write any unencrytped data to the disk Second, when I want to wipe the disk, I fill it entirely with random data Below are the commands that I use to prepare a new usb drive for my use immediately after purchase. These commands are presented as a rough guide; they're mostly idempotent, but you probably want to copy & paste them After 8 years, I've decided to transition from my original GPG key and replace it with one that uses a stronger master key that meets NIST guidelines. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael Today I discovered how to validate the Public Key Algorithm that's used for a given gpg key. Unfortunately, it's extremely unintuitive & took quite a bit of digging to figure out how. So I'm leaving this here in hopes it helps someone in their future searches. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael This post describes how to generate a few backup public key hashes to add to your HTTP Public Key Pinning (HPKP) config that might save you from bricking your domain if Let's Encrypt ever gets untrusted like StartCom did. If you have a healthy distrust of the X.509 PKI trust model, then you've probably heard of HPKP (and probably also HSTS & CAA). Website certificate pinning was a trend first started by google, who hard-coded a pin of their certificates in their Chrome browser. Eventually, google helped build a more standardized pinning method under RFC 7469. And today, it's supported by Chrome, Firefox, and Opera. Pinning is a great TOFU improvement to https, but--if misconfigured--you could "brick" your domain--making it so that your client's browsers will refuse to let them access your site for months or years (interestingly, this has also caused some security experts to think of how HPKP could be abused in ransom-ware). Therefore, it's a good idea to follow a few HPKP Best Practices. Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael 
This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN--and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet. * Assuming your config doesn't leak DNS; see improvements section Update 2017-08-25: Added "kill switch" firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN's vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the 'home' wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP--giving a false sense of privacy). Update 2021-02-01: Fixed GitHub URL of cryptostorm's free OpenVPN configuration file Update 2021-02-14: Fixed GitHub URL of cryptostorm's paid OpenVPN configuration file Update: I wrote this guide in 2017. It's intended for an audience that has As some mega websites deploy APIs that are used nearly ubiquitously on most of the Internet's websites (I'm looking at you Facebook & Google), I've begun to compartmentalize my browsers to "jail" specific website usage to a single, sandboxed browser (profile). This is sometimes referred to as a Site-Specific Browser (SSB). Besides making sure that your SSB is isolated in that it cannot access your regular browser's data (a configuration I plan to document in the future), it's essential to block all network traffic from/to your SSB and all websites, except a whitelist. Unfortunately, getting block-all-then-whitelist functionality in uBlock Origin was annoyingly not documented, so I decided to publish it. If you want uBlock Origin to block all traffic, add the following line to the textbox in your "My filters" tab of uBlock's Dashboard. *.* Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings). Michael Altfield Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡ About Michael |
|
|||
|
Copyright © 2021 Michael Altfield's Tech Blog - All Rights Reserved Powered by WordPress & Atahualpa |
||||
