Or how to avoid getting locked-out of another Google Account
This guide will describe how to setup a persistent browser (for Evil Corp) that’s isolated in a sandbox (with firejail) and forced to use a SOCKS5 proxy to retain a static IP address (using proxychains)
Have you ever been locked out of your own account, and then got an email for your service provider annoyingly letting you know that they’ve “blocked a login attempt — for your protection?“
There’s countless reports of frustrated users who have permanently lost access to their own gmail accounts because of Google’s faulty “fraud protection” systems that locked the account owner out of their own account, due to false-positives.
Problem
Especially the past 10 years, large corporations have been using machine learning anomaly detection systems on their login pages. Unfortunately, sometimes this is (ab)used to have priority over credential authentication challenges.
Even if you enter your username, password, and 2FA credentials correctly on the very first login attempt, you may get locked out of your own account because you “look different”
I’m super happy that Techlore invited me on their YouTube channel to talk security and privacy 😀
Henry was mostly interested in my work with BusKill (an open-source dead man switch), but our conversation ran a gamut of issues regarding security and privacy — including
How to mitigate State-sponsored interdiction attacks, minimizing attack surfaces of mobile phones with broadband processors, the threats of AI “identity verification” systems on privacy, and much more
You can watch the full video below
Can’t see video above? Watch it on PeerTube at tehlore.tv or on YouTube at youtu.be/cptk6aBbJpU
Consulting
Want to improve your privacy? I can help you secure your online presence to defend against hackers and surveillance.
Operations Security Training Encrypted Email Secure Messaging Whistleblower Best-Practices Secure Cloud Storage Secure Video Conferencing 1-on-1 Threat Modeling Contact me to schedule a call.
If you’d like to purchase a BusKill cable, click here.
If you’d like to contact me, click here Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
This article will show how to check if a given Onion Service (ie some .onion address) is alive or dead.
Why?
Lots of Onion Services are “here today, gone tomorrow”. If you encountered a large list of Onion Services and want to quickly check to see which are still alive, the best way to do that is by querying the Tor network’s Hidden Service Directory (HSDir).
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Why was I banned from GrapheneOS? That’s a good question.
Anyone who follows me on GitHub knows that I make a lot of contributions to many different open-source projects, especially security-related ones.
A couple years ago, I wanted to try-out both GrapheneOS and CalyxOS, but I found that a niche security feature that’s very important to me hasn’t been implemented in either ROM, so I opened a friendly feature request ticket in both ROM’s repos:
Neither ticket got much traction. There was some discussion on the CalyxOS ticket. But the GrapheneOS ticket was closed by Daniel Micay (Lead Developer of GrapheneOS at the time) 5 hours after I opened it. I forgot about it.
A year later, someone commented on the GrapheneOS ticket (it was the first and only comment other than Micay’s) expressing interest in my feature request, including some useful information: an implementation (that was blocking the CalyxOS ticket) was already written by LineageOS.
When I saw the comment in my email inbox (and realized it might unblock the feature getting added to CalyxOS), I got excited. I tried to . . . → Read More: Why I was banned from GrapheneOS by Daniel Micay
This article will describe how to download an image from a (docker) container registry.
Intro
Remember the good ‘ol days when you could just download software by visiting a website and click “download”?
Even apt and yum repositories were just simple HTTP servers that you could just curl (or wget) from. Using the package manager was, of course, more secure and convenient — but you could always just download packages manually, if you wanted.
But have you ever tried to curl an image from a container registry, such as docker? Well friends, I have tried. And I have the scars to prove it.
It was a remarkably complex process that took me weeks to figure-out. Lucky you, this article will break it down.
Examples
Specifically, we’ll look at how to download files from two OCI registries.
Docker Hub GitHub Packages Terms
First, here’s some terminology used by OCI
OCI – Open Container Initiative blob – A “blob” in the OCI spec just means a file manifest – A “manifest” in the OCI spec means a list of files Prerequisites
This guide was written in 2024, and it uses the following software and versions:
This article introduces the concept of “3TOFU” — a harm-reduction process when downloading software that cannot be verified cryptographically.
⚠ NOTE: This article is about harm reduction.
It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you’re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.
TOFU
TOFU stands for Trust On First Use. It’s a (often abused) concept of downloading a person or org’s signing key and just blindly trusting it (instead of verifying it).
3TOFU
3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.
Why 3TOFU?
The EFF’s Deep Crack proved DES to be insecure and pushed a switch to 3DES.
During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher — which was a known-vulnerable cipher.
This article will describe how lemmy instance admins can purge images from pict-rs (click here if you just want to know how).
This is (also) a horror story about accidentally uploading very sensitive data to Lemmy, and the (surprisingly) difficult task of deleting it.
Intro
tl;dr I (accidentally) uploaded a photo of my State-issued ID to Lemmy, and I couldn’t delete it.
Friends don’t let friends compose jerboa comments in bed before coffee (@theyshane)
A few weeks ago I woke up to my 06:00 AM alarm, snoozed my phone, rubbed my eyes, and started reading /c/worldnews (on Lemmy).
Still half-asleep, I was typing a comment when my thumb accidentally hit the “upload media” button. Up popped a gallery of images. I tried to click the back button, but I missed. I tapped on a photo. The photo that I tapped-on was a KYC selfie image (that I took the previous day for a service that has no business having such PII anyway).
That was all it took — two consecutive mis-taps while half-asleep in bed, and my dumb-ass just inadvertently uploaded a KYC selfie onto the public internet. And thanks to archaic State authentication systems, anyone with . . . → Read More: Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
This post will help to provide historical context and demystify what’s under the hood of Heads, PureBoot, and other tools to provide Trusted Boot.
I will not be presenting anything new in this article; I merely hope to provide a historical timeline and a curated list of resources.
Intro
The Librem Key cryptographically verifies the system’s integrity and flashes red if it’s detected tampering
I’ve always felt bad about two things:
Because I run QubesOS, I usually disable “Secure Boot” on my laptop I travel a lot, and I don’t have a good way to verify the integrity of my laptop (eg from an Evil Maid that gains physical access to my computer)
To address this, I have turned to Heads and PureBoot — a collection of technologies including an open-source firmware/BIOS, TPM, and a USB security key that can cryptographically verify the integrity of the lowest firmware (and up the chain to the OS).
While Purism has written many articles about PureBoot and has some (minimal) documentation, I found they did a lot of hand waving without explaining how the technology works (what the hell is a “BIOS measurement”?). So I spent a great deal of . . . → Read More: Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
In 2021, I raised $18,507 on CrowdSupply to manufacture and sell the BusKill cable. This article will review my experience working with Crowd Supply.
Introduction
So you have a great idea for a cool product, but you’re not sure how to scrap up the necessary funds to ramp-up production and sell it? If you’re a traditional capitalist then you’d be considering financing your new entrepreneurial venture through loans or venture capital.
But you’re not a capitalist. You want to avoid the fat cats draining equity from your hard labor. Your idea is so cool, why not try your hand at crowdfunding direct from your soon-to-be customers?
Why Crowd Supply?
The first place I looked was Kickstarter. But I did some googling, and I saw so many people complain that they backed a project on kickstarter and never received anything from the creator. In fact, Kickstarter’s own Fulfillment Report says that 9% of all their projects fail to deliver.
And, especially in the computer security department, if anyone with half a brain scans through the projects on kickstarter, even the ones that raise $1 million scream SCAM! Either their promises are unrealistic, they clearly have no idea what they’re talking . . . → Read More: Crowdfunding on Crowd Supply (Review of my experience)
This article will describe how you can utilize GitHub Actions to scan user-contributed PRs for unicode and automatically warn you if such commits contain (potentially invisible & malicious) unicode characters.
Why
Last month Trojan Source was published — which described how malicious unicode characters could make source code appear benign, yet compile to something quite malicious.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
