Badness Enumeration

Badness enumeration is the concept of making a list of known bad actors and attempting to block them. While it seems intuitive at first glance, badness enumeration should not be relied on for privacy or security. In many cases, it actually does the exact opposite and directly harms the user. This post will attempt to explain why badness enumeration as a concept is flawed and give some examples of its failings in practice....

July 27, 2022 · 6 min · 1183 words · Tommy

ChromeOS's Questionable Encryption

Premise ChromeOS encrypts user data on the disk by default. The implementation details are documented upstream but not relevant within the scope of this post. It is well-known that ChromeOS uses Google account passwords as the primary login credentials. This necessarily means that anyone with knowledge of the Google account password is able to unlock and therefore decrypt a ChromeOS user profile. Practical Implications The very same Google account passwords used for ChromeOS authentication are also used for logging in to various Google services in web browsers and other apps....

April 25, 2024 · 2 min · 279 words · Tommy

Desktop Linux Hardening

Linux is not a secure desktop operating system. However, there are steps you can take to harden it, reduce its attack surface, and improve its privacy. Before we start… Some of the sections will include mentions of unofficial builds of packages like linux‑hardened, akmod, hardened_malloc, and so on. These are not endorsements — they are merely to show that you have options to easily obtain and update these packages. Using unofficial builds of packages means adding more parties to trust, and you have to evaluate whether it is worth doing so for the potential privacy/security benefits or not....

August 17, 2022 · 25 min · 5320 words · Tommy

Firewalling with MirageOS on Qubes OS

MirageOS is a library operating system with which you can create a unikernel for the sole purpose of acting as Qubes OS’s firewall. In this post, I will walk you through how to set this up. Advantages Small attack surface. The unikernel only contains a minimal set of libraries to function, so it has a much smaller attack surface than a general purpose operating system like a Linux distribution or openBSD....

August 26, 2022 · 2 min · 339 words · Tommy

Laptop Hardware Security

While browsing privacy forums, I often see a lot discussions regarding laptop hardware security, especially in regards to resistance against physical attacks. Unfortunately, most of the advice given on these forums are incorrect, recommending people to buy overpriced products that are significantly less secure than standard laptops. In this post, I will walk you through a quick overview of how hardware security is generally implemented for laptops, what to look for, and what to avoid....

June 10, 2024 · 13 min · 2698 words · Tommy

Secure Time Synchronization on macOS

macOS by default uses the unencrypted and unauthenticated Network Time Protocol (NTP) for time synchronization. A popular solution to mitigate this problem is to use ChronyControl to setup NTS. However, the application requires administrator privileges, which is less than ideal. In this post, I will go over how to leverage virtualization to setup a local Linux server, update its time using NTS, and synchronize your macOS host with it using NTP, all without needing a privileged application....

June 25, 2023 · 6 min · 1126 words · Tommy

Setting up MTA-STS with a custom domain on Proton Mail

To this date, Proton Mail doesn’t support MTA-STS for custom domains. While DANE for SMTP is a much better solution to the same problem, MTA-STS exists for a reason: many providers are slow at adopting DNSSEC. DNSSEC is essential to enabling standards such as DANE or SSHFP. Notably, Gmail still does not support DANE but has supported MTA-STS for years. Therefore, MTA-STS and DANE can complement each other, and you should ideally deploy both....

July 13, 2023 · 6 min · 1129 words · Wonderfall

Update your Signal TLS Proxy

Given the current censorship situation in Iran, I decided to have a look at the Signal TLS Proxy. One thing immediately jumped out - the NGINX image has not been updated for years. In fact, NGINX 1.18 is so old that it has gone end of life for a year and a half as of this writing. If you are deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream nginx:alpine image instead....

October 15, 2022 · 1 min · 138 words · Tommy

Using Native ZFS Encryption with Proxmox

Currently, the Proxmox installer does not support setting up encryption with ZFS. Thus, we have to set it up manually. This post will go over how to use the native ZFS encryption with Proxmox. The post also assumes that the Proxmox installation is new and does not have any virtual machines or containers yet. Encrypting the rpool/ROOT dataset Proxmox installs its system inside of the rpool/ROOT dataset. This is what we will encrypt first....

March 11, 2023 · 4 min · 681 words · Tommy

Using Split GPG and Split SSH on Qubes OS

This post will go over setting up Split GPG, then setting up Split SSH with the same PGP keys. Effectively, we are emulating what you can do with a PGP smartcard on Qubes OS. Split GPG Follow the official Qubes OS documentation to set this up. Note that if you already have a PGP key with a passphrase, you can remove it by installing pinentry-gtk to vault’s TemplateVM, then run gpg2 --edit-key <key_id> and passwd to set an empty passphrase....

August 13, 2022 · 3 min · 428 words · Tommy