Featured Articles

Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Hardening Guide for phpList
WordPress Multisite on the Darknet (Mercator .onion alias)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
Introducing BusKill: A Kill Cord for your Laptop
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Crowdfunding on Crowd Supply (Review of my experience)
WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Detecting (Malicious) Unicode in GitHub PRs
previous arrow
next arrow

3TOFU: Verifying Unsigned Releases

Verifying Unsigned Releases with 3TOFU

This article introduces the concept of “3TOFU” — a harm-reduction process when downloading software that cannot be verified cryptographically.

⚠ NOTE: This article is about harm reduction.

It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you’re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

TOFU

TOFU stands for Trust On First Use. It’s a (often abused) concept of downloading a person or org’s signing key and just blindly trusting it (instead of verifying it).

3TOFU

3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.

Why 3TOFU?

The EFF’s Deep Crack proved DES to be insecure and pushed a switch to 3DES.

During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher — which was a known-vulnerable cipher.

But there
. . . → Read More: 3TOFU: Verifying Unsigned Releases

Detect outgoing port blocking with nmap and portquiz.net

This post will describe how to detect if your network is blocking outgoing ports. In this test, we’ll be using nmap and the fine website portquiz.net

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Detect outgoing port blocking with nmap and portquiz.net

Detecting Censorship or ISP Network Tampering with OONI

This article will introduce a tool to detect censorship or network tampering using the Open Observatory of Network Interference (OONI) android app, which is part of the Tor Project.

The OONI project’s mission is to collect data on network providers to determine where the Internet is free and where it’s being manipulated. For example, the OONI Explorer displays a world map of such data.

On the OONI explorer, you can drill-down on the world map into a specific country to get a list of websites that were detected as being blocked from within that country.

For example, when I looked at the history of OONI probe runs within the US, I saw a list of the usual suspects: gambling sites, pornography sites, torrenting sites, etc. More surprising (at least to me) was the number of pastebin sites that were banned. And, despicably, there was a network in the US blocking The Internet Archive

When I looked at the data from scans within another great “free country” = India, I saw a lot of cherry-picked censorship on facebook and news articles as it relates to the 2017 genocide of Rohingya Refugees in Burma and various muslim/hindu conflicts.

Anyone
. . . → Read More: Detecting Censorship or ISP Network Tampering with OONI

Using uBlock Origin to Whitelist

As some mega websites deploy APIs that are used nearly ubiquitously on most of the Internet’s websites (I’m looking at you Facebook & Google), I’ve begun to compartmentalize my browsers to “jail” specific website usage to a single, sandboxed browser (profile). This is sometimes referred to as a Site-Specific Browser (SSB).

Besides making sure that your SSB is isolated in that it cannot access your regular browser’s data (a configuration I plan to document in the future), it’s essential to block all network traffic from/to your SSB and all websites, except a whitelist. Unfortunately, getting block-all-then-whitelist functionality in uBlock Origin was annoyingly not documented, so I decided to publish it.

If you want uBlock Origin to block all traffic, add the following line to the textbox in your “My filters” tab of uBlock’s Dashboard.

*.* Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Using uBlock Origin to Whitelist

pycurl through Tor without leaking DNS lookups

This article describes the correct way to use pycurl over Tor, such that both DNS lookup data and HTTP(S) traffic is sent through Tor’s SOCKS5 proxy.

If you google “pycurl tor”, one of the first results is a stackoverflow post that describes how to configure pycurl using the pycurl.PROXYTYPE_SOCKS5 setting. Indeed, even the tutorial To Russia With Love on the Tor Project’s Official Website describes how to pass pycurl through Tor using the pycurl.PROXYTYPE_SOCKS5 setting.

However, using pycurl.PROXYTYPE_SOCKS5 will leak DNS queries associated with your HTTP requests outside of the Tor network! Instead you should use pycurl.PROXYTYPE_SOCKS5_HOSTNAME.

The –socks5-hostname argument was added to libcurl v7.26.0. The pycurl.PROXYTYPE_SOCKS5_HOSTNAME argument wasn’t added to pycurl until pycurl v7.19.5.1, which (at the time of writing) was less than 2 months ago!

This article will describe how to install pycurl v7.19.5.1 onto the latest version of TAILS at the time of writing, which is TAILS v1.2.3.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: pycurl through Tor without leaking DNS lookups