Operating Systems

Android is a very secure and robust operating system out of the box. This post will be less of a “hardening guide”, but more of a non-exhaustive list of tips when it comes to buying and using Android phones. Android Devices Recommended Phones Google Pixel phones are the only devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element....

Update: This is no longer reproducible on Android 13 QPR1 and Android 14 Developer Preview 1. Before We Start… I have been aware of this issue for awhile now (since at least Android 11), though I have not done enough testing to see what actually causes the leak nor do I have any workaround at the moment. My guess is that applications which launch early when you log into a secondary profile can bypass the VPN killswitch....

Android is a secure operating system that has strong app sandboxing, Verified Boot (AVB), and a robust permission control system. When you buy an Android phone, the device’s default operating system often comes with invasive integration with apps and services that are not part of the Android Open-Source Project. An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on....

Premise ChromeOS encrypts user data on the disk by default. The implementation details are documented upstream but not relevant within the scope of this post. It is well-known that ChromeOS uses Google account passwords as the primary login credentials. This necessarily means that anyone with knowledge of the Google account password is able to unlock and therefore decrypt a ChromeOS user profile. Practical Implications The very same Google account passwords used for ChromeOS authentication are also used for logging in to various Google services in web browsers and other apps....

Linux is not a secure desktop operating system. However, there are steps you can take to harden it, reduce its attack surface, and improve its privacy. Before we start… Some of the sections will include mentions of unofficial builds of packages like linux‑hardened, akmod, hardened_malloc, and so on. These are not endorsements — they are merely to show that you have options to easily obtain and update these packages. Using unofficial builds of packages means adding more parties to trust, and you have to evaluate whether it is worth doing so for the potential privacy/security benefits or not....

MirageOS is a library operating system with which you can create a unikernel for the sole purpose of acting as Qubes OS’s firewall. In this post, I will walk you through how to set this up. Advantages Small attack surface. The unikernel only contains a minimal set of libraries to function, so it has a much smaller attack surface than a general purpose operating system like a Linux distribution or openBSD....

This will turn your device into a purely penetration testing device, and it will be very insecure for any other purpose. Please do not do this on your daily driver. This procedure should work without modification on many devices using the standard Android bootloader (not Samsung). However, every device has unique quirks that may require special attention. Originally, I just needed a device to run packet capture on my other devices....

MAC address randomization Note that Ethernet connections can still be tracked via switch ports, and WiFi connections can be broadly localized by access point. Furthermore, MAC address spoofing and randomization depends on firmware support from the interface. Most modern network interface cards support the feature. There are three different aspects of MAC address randomization in NetworkManager, each with their own configuration flag: WiFi scanning [device] wifi.scan-rand-mac-address=yes WiFi connections [connection] wifi.cloned-mac-address=<mode> Ethernet connections [connection] ethernet....

Currently, the Proxmox installer does not support setting up encryption with ZFS. Thus, we have to set it up manually. This post will go over how to use the native ZFS encryption with Proxmox. The post also assumes that the Proxmox installation is new and does not have any virtual machines or containers yet. Encrypting the rpool/ROOT dataset Proxmox installs its system inside of the rpool/ROOT dataset. This is what we will encrypt first....

This post will go over setting up Split GPG, then setting up Split SSH with the same PGP keys. Effectively, we are emulating what you can do with a PGP smartcard on Qubes OS. Split GPG Follow the official Qubes OS documentation to set this up. Note that if you already have a PGP key with a passphrase, you can remove it by installing pinentry-gtk to vault’s TemplateVM, then do gpg2 --edit-key <key_id> and passwd to set an empty passphrase....