Android Tips

Android is a very secure and robust operating system out of the box. This post will be less of a “hardening guide”, but more of a non-exhaustive list of tips when it comes to buying and using Android phones. Android Devices Recommended Phones Google Pixel phones are the only devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element....

July 22, 2022 · 18 min · 3712 words · Tommy

Badness Enumeration

Badness enumeration is the concept of making a list of known bad actors and attempting to block them. While it seems intuitive at first glance, badness enumeration should not be relied on for privacy or security. In many cases, it actually does the exact opposite and directly harms the user. This post will attempt to explain why badness enumeration as a concept is flawed and give some examples of its failings in practice....

July 27, 2022 · 6 min · 1183 words · Tommy

Choosing Your Android-Based Operating System

Android is a secure operating system that has strong app sandboxing, Verified Boot (AVB), and a robust permission control system. When you buy an Android phone, the device’s default operating system often comes with invasive integration with apps and services that are not part of the Android Open-Source Project. An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on....

July 18, 2022 · 9 min · 1723 words · Tommy

Desktop Linux Hardening

Linux is not a secure desktop operating system. However, there are steps you can take to harden it, reduce its attack surface, and improve its privacy. Before we start… Some of the sections will include mentions of unofficial builds of packages like linux‑hardened, akmod, hardened_malloc, and so on. These are not endorsements — they are merely to show that you have options to easily obtain and update these packages. Using unofficial builds of packages means adding more parties to trust, and you have to evaluate whether it is worth doing so for the potential privacy/security benefits or not....

August 17, 2022 · 25 min · 5220 words · Tommy

Firewalling with MirageOS on Qubes OS

MirageOS is a library operating system with which you can create a unikernel for the sole purpose of acting as Qubes OS’s firewall. In this post, I will walk you through how to set this up. Advantages Small attack surface. The unikernel only contains a minimal set of libraries to function, so it has a much smaller attack surface than a general purpose operating system like a Linux distribution or openBSD....

August 26, 2022 · 2 min · 338 words · Tommy

Secure Time Synchronization on macOS

macOS by default uses the unencrypted and unauthenticated Network Time Protocol (NTP) for time synchronization. A popular solution to mitigate this problem is to use ChronyControl to setup NTS. However, the application requires administrator privileges, which is less than ideal. In this post, I will go over how to leverage virtualization to setup a local Linux server, update its time using NTS, and synchronize your macOS host with it using NTP, all without needing a privileged application....

June 25, 2023 · 6 min · 1125 words · Tommy

Setting up MTA-STS with a custom domain on Proton Mail

To this date, Proton Mail doesn’t support MTA-STS for custom domains. While DANE for SMTP is a much better solution to the same problem, MTA-STS exists for a reason: many providers are slow at adopting DNSSEC. DNSSEC is essential to enabling standards such as DANE or SSHFP. Notably, Gmail still does not support DANE but has supported MTA-STS for years. Therefore, MTA-STS and DANE can complement each other, and you should ideally deploy both....

July 13, 2023 · 6 min · 1129 words · Wonderfall

Update your Signal TLS Proxy

Given the current censorship situation in Iran, I decided to have a look at the Signal TLS Proxy. One thing immediately jumped out - the NGINX image has not been updated for years. In fact, NGINX 1.18 is so old that it has gone end of life for a year and a half as of this writing. If you are deploying or maintaining a Signal TLS Proxy, I highly recommend that you use the upstream nginx:alpine image instead....

October 15, 2022 · 1 min · 138 words · Tommy

Using Native ZFS Encryption with Proxmox

Currently, the Proxmox installer does not support setting up encryption with ZFS. Thus, we have to set it up manually. This post will go over how to use the native ZFS encryption with Proxmox. The post also assumes that the Proxmox installation is new and does not have any virtual machines or containers yet. Encrypting the rpool/ROOT dataset Proxmox installs its system inside of the rpool/ROOT dataset. This is what we will encrypt first....

March 11, 2023 · 4 min · 681 words · Tommy

Using Split GPG and Split SSH on Qubes OS

This post will go over setting up Split GPG, then setting up Split SSH with the same PGP keys. Effectively, we are emulating what you can do with a PGP smartcard on Qubes OS. Split GPG Follow the official Qubes OS documentation to set this up. Note that if you already have a PGP key with a passphrase, you can remove it by installing pinentry-gtk to vault’s TemplateVM, then do gpg2 --edit-key <key_id> and passwd to set an empty passphrase....

August 13, 2022 · 3 min · 428 words · Tommy