Security

Android is a very secure and robust operating system out of the box. This post will be less of a “hardening guide”, but more of a non-exhaustive list of tips when it comes to buying and using Android phones. Android Devices Recommended Phones Google Pixel phones are the only devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element....

Badness enumeration is the concept of making a list of known bad actors and attempting to block them. While it seems intuitive at first glance, badness enumeration should not be relied on for privacy or security. In many cases, it actually does the exact opposite and directly harms the user. This post will attempt to explain why badness enumeration as a concept is flawed and give some examples of its failings in practice....

Android is a secure operating system that has strong app sandboxing, Verified Boot (AVB), and a robust permission control system. When you buy an Android phone, the device’s default operating system often comes with invasive integration with apps and services that are not part of the Android Open-Source Project. An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on....

Linux is not a secure desktop operating system. However, there are steps you can take to harden it, reduce its attack surface, and improve its privacy. Before we start… Some of the sections will include mentions of unofficial builds of packages like linux‑hardened, akmod, hardened_malloc, and so on. These are not endorsements — they are merely to show that you have options to easily obtain and update these packages. Using unofficial builds of packages means adding more parties to trust, and you have to evaluate whether it is worth doing so for the potential privacy/security benefits or not....

MirageOS is a library operating system with which you can create a unikernel for the sole purpose of acting as Qubes OS’s firewall. In this post, I will walk you through how to set this up. Advantages Small attack surface. The unikernel only contains a minimal set of libraries to function, so it has a much smaller attack surface than a general purpose operating system like a Linux distribution or openBSD....

macOS by default uses the unencrypted and unauthenticated Network Time Protocol (NTP) for time synchronization. A popular solution to mitigate this problem is to use ChronyControl to setup NTS. However, the application requires administrator privileges, which is less than ideal. In this post, I will go over how to leverage virtualization to setup a local Linux server, update its time using NTS, and synchronize your macOS host with it using NTP, all without needing a privileged application....

To this date, Proton Mail doesn’t support MTA-STS for custom domains. While DANE for SMTP is a much better solution to the same problem, MTA-STS exists for a reason: many providers are slow at adopting DNSSEC. DNSSEC is essential to enabling standards such as DANE or SSHFP. Notably, Gmail still does not support DANE but has supported MTA-STS for years. Therefore, MTA-STS and DANE can complement each other, and you should ideally deploy both....

Given the current censorship situation in Iran, I decided to have a look at the Signal TLS Proxy. One thing immediately jumped out - the NGINX image has not been updated for years. In fact, NGINX 1.18 is so old that it has gone end of life for a year and a half as of this writing. If you are deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream nginx:alpine image instead....

Currently, the Proxmox installer does not support setting up encryption with ZFS. Thus, we have to set it up manually. This post will go over how to use the native ZFS encryption with Proxmox. The post also assumes that the Proxmox installation is new and does not have any virtual machines or containers yet. Encrypting the rpool/ROOT dataset Proxmox installs its system inside of the rpool/ROOT dataset. This is what we will encrypt first....

This post will go over setting up Split GPG, then setting up Split SSH with the same PGP keys. Effectively, we are emulating what you can do with a PGP smartcard on Qubes OS. Split GPG Follow the official Qubes OS documentation to set this up. Note that if you already have a PGP key with a passphrase, you can remove it by installing pinentry-gtk to vault’s TemplateVM, then do gpg2 --edit-key <key_id> and passwd to set an empty passphrase....