Badness Enumeration

Badness enumeration is the concept of making a list of known bad actors and attempting to block them. While it seems intuitive at first glance, badness enumeration should not be relied on for privacy or security. In many cases, it actually does the exact opposite and directly harms the user. This post will attempt to explain why badness enumeration as a concept is flawed and give some examples of its failings in practice....

July 27, 2022 · 6 min · 1183 words · Tommy

FLOSS Security

While source code is critical for user autonomy, it isn’t required to evaluate software security or understand run-time behavior. One of the biggest parts of the Free and Open Source Software definitions is the freedom to study a program and modify it; in other words, access to editable source code. I agree that such access is essential; however, far too many people support source availability for the wrong reasons. One such reason is that source code is necessary to have any degree of transparency into how a piece of software operates, and is therefore necessary to determine if it is at all secure or trustworthy....

February 2, 2022 · 20 min · 4166 words · Rohan Kumar

Laptop Hardware Security

While browsing privacy forums, I often see a lot discussions regarding laptop hardware security, especially in regards to resistance against physical attacks. Unfortunately, most of the advice given on these forums are incorrect, recommending people to buy overpriced products that are significantly less secure than standard laptops. In this post, I will walk you through a quick overview of how hardware security is generally implemented for laptops, what to look for, and what to avoid....

June 10, 2024 · 13 min · 2698 words · Tommy

Multi-factor Authentication

Multi-factor authentication is a security mechanism that requires additional verification beyond your username (or email) and password. This usually comes in the form of a one-time passcode, a push notification, or plugging in and tapping a hardware security key. Common protocols Email and SMS MFA Email and SMS MFA are examples of the weaker MFA protocols. Email MFA is not great as whoever controls your email account can typically both reset your password and receive your MFA verification....

July 16, 2022 · 6 min · 1219 words · Tommy

Setting up MTA-STS with a custom domain on Proton Mail

To this date, Proton Mail doesn’t support MTA-STS for custom domains. While DANE for SMTP is a much better solution to the same problem, MTA-STS exists for a reason: many providers are slow at adopting DNSSEC. DNSSEC is essential to enabling standards such as DANE or SSHFP. Notably, Gmail still does not support DANE but has supported MTA-STS for years. Therefore, MTA-STS and DANE can complement each other, and you should ideally deploy both....

July 13, 2023 · 6 min · 1129 words · Wonderfall

Threat Modeling

The first task a person should do when taking steps to protect their privacy and security is to make a threat model. Defining a threat To make a threat model, we must first define a threat. A common mistake made by people who are just getting into the privacy space is to define the threat as “big-tech companies.” There is a fundamental problem with this definition: Why are we not trusting “big-tech companies,” but then shift our trust to “small-tech companies”?...

July 18, 2022 · 9 min · 1913 words · Tommy