diff --git a/config.yml b/config.yml index 531cf77..3a8c4fc 100644 --- a/config.yml +++ b/config.yml @@ -51,8 +51,8 @@ params: url: code - name: Privacy url: privacy - - name: PGP - url: https://tommytran.io/tommy.asc + - name: Donate + url: donate socialIcons: - name: github @@ -106,30 +106,22 @@ markup: menu: main: - - identifier: Knowledge Base - name: Knowledge Base - url: /knowledge/ + - identifier: Categories + name: Categories + url: /posts/ weight: 10 - - identifier: Operating Systems - name: Operating Systems - url: /os/ - weight: 20 - - identifier: Applications - name: Applications - url: /apps/ - weight: 30 - identifier: Search name: Search url: /search/ - weight: 40 + weight: 20 - identifier: Tags name: Tags url: /tags/ - weight: 50 - - identifier: Donate - name: Donate - url: /donate/ - weight: 60 + weight: 30 + - identifier: PGP + name: PGP + url: https://tommytran.io/tommy.asc + weight: 40 privacy: disqus: diff --git a/content/apps/_index.md b/content/apps/_index.md deleted file mode 100644 index 4b16e30..0000000 --- a/content/apps/_index.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Applications ---- \ No newline at end of file diff --git a/content/knowledge/_index.md b/content/knowledge/_index.md deleted file mode 100644 index bcbabc5..0000000 --- a/content/knowledge/_index.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Knowledge Base ---- \ No newline at end of file diff --git a/content/os/_index.md b/content/os/_index.md deleted file mode 100644 index 7d73508..0000000 --- a/content/os/_index.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Operating Systems ---- \ No newline at end of file diff --git a/content/posts/_index.md b/content/posts/_index.md new file mode 100644 index 0000000..68542b2 --- /dev/null +++ b/content/posts/_index.md @@ -0,0 +1,7 @@ +--- +title: Categories +ShowReadingTime: false +ShowWordCount: false +--- + +Find the content you are looking for! \ No newline at end of file diff --git a/content/os/Android Tips.md b/content/posts/android/Android Tips.md similarity index 97% rename from content/os/Android Tips.md rename to content/posts/android/Android Tips.md index 24d8a80..a62e675 100644 --- a/content/os/Android Tips.md +++ b/content/posts/android/Android Tips.md @@ -32,7 +32,7 @@ You should also be very wary of low quality privacy branded phones like the Free In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits. -I have written a detailed post on selecting your Android-based operating system, which you can find [here](../../os/choosing-your-android-based-operating-system). +I have written a detailed post on selecting your Android-based operating system, which you can find [here](/posts/os/choosing-your-android-based-operating-system). **TLDR**: If you are using a modern Pixel, use [GrapheneOS](https://grapheneos.org). If you are on a device supported by [DivestOS](https://divestos.org), use DivestOS. Otherwise, stick to your stock operating system. Do not blindly use an OS just because it is advertised as "degoogled". @@ -104,7 +104,7 @@ Multiple user profiles can be found in **Settings** → **System** → **Multipl With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. -Note that there is currently a [VPN leakage with secondary user profiles](/os/android-vpn-leakage-with-secondary-user-profiles). +Note that there is currently a [VPN leakage with secondary user profiles](/posts/os/android-vpn-leakage-with-secondary-user-profiles). ## Work Profile @@ -136,6 +136,10 @@ I have seen several common suggestions in the privacy community to mitigate this - **Using PGPP as a carrier**: The service randomizes your IMSI by regularly reprovisioning your eSIM. However, the IMEI broadcasted by the baseband modem would remain unchanged, allowing the carriers to track you anyways. +## SMS App + + + ## Where to Get Your Applications ### GrapheneOS App Store @@ -150,7 +154,7 @@ My recommendation is to stick with the Google Play Store unless your threat mode ### F-Droid -F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them [here](/apps/f-droid-security-issues/). +F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them [here](/posts/android/f-droid-security-issues/). I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as [NeoStore](https://github.com/NeoApplications/Neo-Store). You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead. @@ -183,7 +187,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr The Advanced Protection Program provides enhanced threat monitoring and enables: -- Stricter two factor authentication; e.g. that [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) **must** be used and disallows the use of [SMS OTP](/knowledge/multi-factor-authentication/#fido2-fast-identity-online), [TOTP](/knowledge/multi-factor-authentication/#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Stricter two factor authentication; e.g. that [FIDO2](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online) **must** be used and disallows the use of [SMS OTP](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online), [TOTP](/posts/knowledge/multi-factor-authentication/#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) - Only Google and verified third-party apps can access account data - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome diff --git a/content/os/Android VPN Leakage with Secondary User Profiles.md b/content/posts/android/Android VPN Leakage with Secondary User Profiles.md similarity index 95% rename from content/os/Android VPN Leakage with Secondary User Profiles.md rename to content/posts/android/Android VPN Leakage with Secondary User Profiles.md index 8d349f2..72fbc25 100644 --- a/content/os/Android VPN Leakage with Secondary User Profiles.md +++ b/content/posts/android/Android VPN Leakage with Secondary User Profiles.md @@ -17,7 +17,7 @@ You can reproduce the leak by doing the following: 1. Create a new user profile (you need to create a secondary user profile for this, as it is not reproducible on your owner profile or a work profile). Do not log into your Google account at this stage. 2. Sideload a VPN app. The leak happens with every VPN provider I have tried (since it is likely a platform issue), though if you do not have a VPN subscription I would recommend getting a free one with [ProtonVPN](https://protonvpn.com). -3. Setup the VPN and the [Android VPN killswitch](/os/android-tips/#enable-vpn-killswitch). +3. Setup the VPN and the [Android VPN killswitch](/posts/os/android-tips/#enable-vpn-killswitch). 4. Log into your Google account through Play Services. 5. Restart the phone. Open the secondary user profile again. 6. Go to Google's [My Devices](https://myaccount.google.com/device-activity) page. Observe that one of the sessions for your phone has your actual location obtained with GeoIP. In some cases, your actual IP address will be shown there as well. diff --git a/content/apps/Banking Applications compatibility with GrapheneOS.md b/content/posts/android/Banking Applications compatibility with GrapheneOS.md similarity index 100% rename from content/apps/Banking Applications compatibility with GrapheneOS.md rename to content/posts/android/Banking Applications compatibility with GrapheneOS.md diff --git a/content/os/Choosing Your Android-Based Operating System.md b/content/posts/android/Choosing Your Android-Based Operating System.md similarity index 94% rename from content/os/Choosing Your Android-Based Operating System.md rename to content/posts/android/Choosing Your Android-Based Operating System.md index 2b481ce..cc93fb3 100644 --- a/content/os/Choosing Your Android-Based Operating System.md +++ b/content/posts/android/Choosing Your Android-Based Operating System.md @@ -51,7 +51,7 @@ Some Android-based operating systems, including ones like CalyxOS, often fall be ### User Builds -As mentioned [above](/os/choosing-your-android-based-operating-system/), `userdebug` builds expose root over ADB and require more permissive SELinux policies to accommodate debugging features. `userdebug` builds violate the Android security model and are really only meant for developers to test out their android builds during development. +As mentioned [above](/posts/os/choosing-your-android-based-operating-system/), `userdebug` builds expose root over ADB and require more permissive SELinux policies to accommodate debugging features. `userdebug` builds violate the Android security model and are really only meant for developers to test out their android builds during development. End users should be using the production `user` builds, and any distributions that fail to deliver them like LineageOS or /e/ OS should be avoided. @@ -76,7 +76,7 @@ Currently, I am only aware of two Android-based operating systems that should be {{< youtube id="hx2eiPTe7Zg">}} -For usability purposes, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific work profile or user profile of your choice. Most interestingly, the [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html), [Google Play Games](https://play.google.com/googleplaygames), [Play Asset Delivery](https://developer.android.com/guide/playcore/asset-delivery), [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) all work exceptionally well. Most [Advanced Protection Program](https://landing.google.com/advancedprotection/) features, except for [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en) and restricted app installation, also work. +For usability purposes, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific work profile or user profile of your choice. Most interestingly, the [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html), [Google Play Games](https://play.google.com/googleplaygames), [Play Asset Delivery](https://developer.android.com/guide/playcore/asset-delivery), [FIDO2](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online) all work exceptionally well. Most [Advanced Protection Program](https://landing.google.com/advancedprotection/) features, except for [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en) and restricted app installation, also work. Because GrapheneOS does not grant any Google Apps and Services apart from the opt-in eSIM action app privileged access to the system, Play Protect cannot disable or uninstall known malicious applications when it detects them. As for restricted app installation, this feature is not that useful on stock operating system anyways, since it is bypassable with `adb push`. diff --git a/content/apps/F-Droid Security Issues.md b/content/posts/android/F-Droid Security Issues.md similarity index 100% rename from content/apps/F-Droid Security Issues.md rename to content/posts/android/F-Droid Security Issues.md diff --git a/content/posts/android/_index.md b/content/posts/android/_index.md new file mode 100644 index 0000000..2e455fd --- /dev/null +++ b/content/posts/android/_index.md @@ -0,0 +1,7 @@ +--- +title: Android +ShowReadingTime: false +ShowWordCount: false +--- + +A collection of posts about Android and related applications \ No newline at end of file diff --git a/content/knowledge/Badness Enumeration.md b/content/posts/knowledge/Badness Enumeration.md similarity index 100% rename from content/knowledge/Badness Enumeration.md rename to content/posts/knowledge/Badness Enumeration.md diff --git a/content/knowledge/FLOSS Security.md b/content/posts/knowledge/FLOSS Security.md similarity index 100% rename from content/knowledge/FLOSS Security.md rename to content/posts/knowledge/FLOSS Security.md diff --git a/content/knowledge/Multi-factor Authentication.md b/content/posts/knowledge/Multi-factor Authentication.md similarity index 100% rename from content/knowledge/Multi-factor Authentication.md rename to content/posts/knowledge/Multi-factor Authentication.md diff --git a/content/knowledge/Threat Modeling.md b/content/posts/knowledge/Threat Modeling.md similarity index 100% rename from content/knowledge/Threat Modeling.md rename to content/posts/knowledge/Threat Modeling.md diff --git a/content/posts/knowledge/_index.md b/content/posts/knowledge/_index.md new file mode 100644 index 0000000..37df047 --- /dev/null +++ b/content/posts/knowledge/_index.md @@ -0,0 +1,7 @@ +--- +title: Knowledge Base +ShowReadingTime: false +ShowWordCount: false +--- + +A collection of posts about general privacy and security knowledge \ No newline at end of file diff --git a/content/os/Choosing Your Desktop Linux Distribution.md b/content/posts/linux/Choosing Your Desktop Linux Distribution.md similarity index 100% rename from content/os/Choosing Your Desktop Linux Distribution.md rename to content/posts/linux/Choosing Your Desktop Linux Distribution.md diff --git a/content/os/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md similarity index 97% rename from content/os/Desktop-Linux-Hardening.md rename to content/posts/linux/Desktop-Linux-Hardening.md index bd0f025..c63a3fe 100644 --- a/content/os/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -5,7 +5,7 @@ tags: ['Operating Systems', 'Linux', 'Privacy', 'Security'] author: Tommy --- -Linux is [not](/os/linux-insecurities) a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy. +Linux is [not](/posts/os/linux-insecurities) a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy. **Before We Start**... @@ -33,7 +33,7 @@ Depending on your distribution, encrypted swap may be automatically set up if yo Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) by default to configure Ethernet and Wi-Fi settings. -WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out. +WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/posts/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out. In short, if you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf`: ``` @@ -68,7 +68,7 @@ Note that randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi card ### Other Identifiers -There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/knowledge/threat-modeling/): +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/posts/knowledge/threat-modeling/): - **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. - **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). @@ -87,7 +87,7 @@ Zorin OS uses the `zorin-os-cencus` package, which also uses a [unique ID](https [Snapd](https://github.com/snapcore/snapd) assigns a [unique ID](https://snapcraft.io/docs/snap-store-metrics) to your snapd installation and use it for telemetry. While this is generally not a problem, if your threat model calls for anonymity, you should not be using snap packages, and you should remove snapd from your Ubuntu installation. Like with Zorin Census, on Debian based distributions, and especially Ubuntu, consider holding `snapd` with `sudo apt-mark hold snapd`. -Of course, this is a non-exhaustive list of how different Linux distributions do this. If you are aware of any other tracking mechanisms that different distributions use, feel free to make a [pull request](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/os/Linux-Desktop-Hardening.md) or [discussion post](https://github.com/PrivSec-dev/privsec.dev/discussions) detailing them! +Of course, this is a non-exhaustive list of how different Linux distributions do this. If you are aware of any other tracking mechanisms that different distributions use, feel free to make a [pull request](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/posts/linux/Linux-Desktop-Hardening.md) or [discussion post](https://github.com/PrivSec-dev/privsec.dev/discussions) detailing them! ### Keystroke Anonymization You could be [fingerprinted based on soft biometric traits](https://www.whonix.org/wiki/Keystroke_Deanonymization) when you use the keyboard. The [Kloak](https://github.com/vmonaco/kloak) package could help you mitigate this threat. It is available as a .deb package from [Kicksecure's repository](https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts) and an [AUR package](https://aur.archlinux.org/packages/kloak-git). @@ -171,7 +171,7 @@ You can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, If you’re running a server, you may have heard of Linux Containers. They are more common in server environments where individual services are built to operate independently. However, you may sometimes see them on desktop systems as well, especially for development purposes. -[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/apps/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on. +[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/posts/apps/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on. Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host. diff --git a/content/apps/Docker and OCI Hardening.md b/content/posts/linux/Docker and OCI Hardening.md similarity index 100% rename from content/apps/Docker and OCI Hardening.md rename to content/posts/linux/Docker and OCI Hardening.md diff --git a/content/os/Linux Insecurities.md b/content/posts/linux/Linux Insecurities.md similarity index 98% rename from content/os/Linux Insecurities.md rename to content/posts/linux/Linux Insecurities.md index 96325de..ffc2083 100644 --- a/content/os/Linux Insecurities.md +++ b/content/posts/linux/Linux Insecurities.md @@ -47,7 +47,7 @@ The only way to systematically fix this problem is to design a whole new system ## But Linux is open source! -Something being open source does not imply that it is inherently private, secure, or trustworthy. I recommend reading the [FLOSS Security](/knowledge/floss-security) post by [Rohan Kumar](https://seirdy.one/posts/2022/02/02/floss-security/). +Something being open source does not imply that it is inherently private, secure, or trustworthy. I recommend reading the [FLOSS Security](/posts/knowledge/floss-security) post by [Rohan Kumar](https://seirdy.one/posts/2022/02/02/floss-security/). ## But there is less malware on Linux! diff --git a/content/os/NetworkManager Trackability Reduction.md b/content/posts/linux/NetworkManager Trackability Reduction.md similarity index 100% rename from content/os/NetworkManager Trackability Reduction.md rename to content/posts/linux/NetworkManager Trackability Reduction.md diff --git a/content/apps/ProtonVPN IP Leakage on Linux and Workaround.md b/content/posts/linux/ProtonVPN IP Leakage on Linux and Workaround.md similarity index 100% rename from content/apps/ProtonVPN IP Leakage on Linux and Workaround.md rename to content/posts/linux/ProtonVPN IP Leakage on Linux and Workaround.md diff --git a/content/os/Securing OpenSSH with FIDO2.md b/content/posts/linux/Securing OpenSSH with FIDO2.md similarity index 100% rename from content/os/Securing OpenSSH with FIDO2.md rename to content/posts/linux/Securing OpenSSH with FIDO2.md diff --git a/content/posts/linux/_index.md b/content/posts/linux/_index.md new file mode 100644 index 0000000..ba99892 --- /dev/null +++ b/content/posts/linux/_index.md @@ -0,0 +1,7 @@ +--- +title: Linux +ShowReadingTime: false +ShowWordCount: false +--- + +A collection of posts about Linux and related applications \ No newline at end of file diff --git a/content/knowledge/Commercial VPN Use Cases.md b/content/posts/proxies/Commercial VPN Use Cases.md similarity index 100% rename from content/knowledge/Commercial VPN Use Cases.md rename to content/posts/proxies/Commercial VPN Use Cases.md diff --git a/content/apps/Update your Signal TLS Proxy.md b/content/posts/proxies/Update your Signal TLS Proxy.md similarity index 100% rename from content/apps/Update your Signal TLS Proxy.md rename to content/posts/proxies/Update your Signal TLS Proxy.md diff --git a/content/posts/proxies/_index.md b/content/posts/proxies/_index.md new file mode 100644 index 0000000..1eeec9d --- /dev/null +++ b/content/posts/proxies/_index.md @@ -0,0 +1,7 @@ +--- +title: Proxies +ShowReadingTime: false +ShowWordCount: false +--- + +A collection of posts about proxies \ No newline at end of file diff --git a/content/os/Firewalling with MirageOS on Qubes OS.md b/content/posts/qubes/Firewalling with MirageOS on Qubes OS.md similarity index 100% rename from content/os/Firewalling with MirageOS on Qubes OS.md rename to content/posts/qubes/Firewalling with MirageOS on Qubes OS.md diff --git a/content/apps/Using Lokinet on Qubes OS.md b/content/posts/qubes/Using Lokinet on Qubes OS.md similarity index 100% rename from content/apps/Using Lokinet on Qubes OS.md rename to content/posts/qubes/Using Lokinet on Qubes OS.md diff --git a/content/apps/Using Mullvad VPN on Qubes OS.md b/content/posts/qubes/Using Mullvad VPN on Qubes OS.md similarity index 90% rename from content/apps/Using Mullvad VPN on Qubes OS.md rename to content/posts/qubes/Using Mullvad VPN on Qubes OS.md index d4121c6..e9b14be 100644 --- a/content/apps/Using Mullvad VPN on Qubes OS.md +++ b/content/posts/qubes/Using Mullvad VPN on Qubes OS.md @@ -33,11 +33,11 @@ EOF Inside of the TemplateVM you have just created, do the following: ```bash -sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.4_x86_64.rpm +sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm sudo systemctl enable mullvad-daemon ``` -Replace `https://mullvad.net/media/app/MullvadVPN-2022.4_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/). +Replace `https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/). ![Mullvad VPN URL](/images/mullvad-vpn-2.png) @@ -66,6 +66,6 @@ You can now use this ProxyVM as the net qube for other qubes! With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling. -Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced. +Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced. ![MirageOS](/images/mirageos.png) \ No newline at end of file diff --git a/content/os/Using Split GPG and Split SSH on Qubes OS.md b/content/posts/qubes/Using Split GPG and Split SSH on Qubes OS.md similarity index 100% rename from content/os/Using Split GPG and Split SSH on Qubes OS.md rename to content/posts/qubes/Using Split GPG and Split SSH on Qubes OS.md diff --git a/content/posts/qubes/_index.md b/content/posts/qubes/_index.md new file mode 100644 index 0000000..1e2d90c --- /dev/null +++ b/content/posts/qubes/_index.md @@ -0,0 +1,7 @@ +--- +title: Qubes OS +ShowReadingTime: false +ShowWordCount: false +--- + +A collection of posts about Qubes OS and related applications \ No newline at end of file diff --git a/content/providers/_index.md b/content/providers/_index.md deleted file mode 100644 index 9f4c810..0000000 --- a/content/providers/_index.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Providers ---- \ No newline at end of file diff --git a/external-blogs.sh b/external-blogs.sh index bf3115d..6a63dc4 100755 --- a/external-blogs.sh +++ b/external-blogs.sh @@ -2,37 +2,37 @@ #F-Droid Security Analysis echo "Fetching and Modifying the F-Droid Security Issues post" -rm -rf './content/apps/F-Droid Security Issues.md' -curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/fdroid-issues.md -o './content/apps/F-Droid Security Issues.md' -sed -i 's/title:.*/title: "F-Droid Security Issues"/' './content/apps/F-Droid Security Issues.md' -sed -i '/draft:.*/d' './content/apps/F-Droid Security Issues.md' -sed -i "s/tags:.*/tags: ['Applications', 'Android', 'Security']/" './content/apps/F-Droid Security Issues.md' -sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/F-Droid Security Issues.md' -sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/fdroid-issues' './content/apps/F-Droid Security Issues.md' -sed -i '/^tags:.*/a author: Wonderfall' './content/apps/F-Droid Security Issues.md' +rm -rf './content/posts/android/F-Droid Security Issues.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/fdroid-issues.md -o './content/posts/android/F-Droid Security Issues.md' +sed -i 's/title:.*/title: "F-Droid Security Issues"/' './content/posts/android/F-Droid Security Issues.md' +sed -i '/draft:.*/d' './content/posts/android/F-Droid Security Issues.md' +sed -i "s/tags:.*/tags: ['Applications', 'Android', 'Security']/" './content/posts/android/F-Droid Security Issues.md' +sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/android/F-Droid Security Issues.md' +sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/fdroid-issues' './content/posts/android/F-Droid Security Issues.md' +sed -i '/^tags:.*/a author: Wonderfall' './content/posts/android/F-Droid Security Issues.md' #Docker and OCI Hardening echo "Fetching and Modifying the Docker and OCI Hardening post" -rm -rf './content/apps/Docker and OCI Hardening.md' -curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/apps/Docker and OCI Hardening.md' -sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/apps/Docker and OCI Hardening.md' -sed -i '/draft:.*/d' './content/apps/Docker and OCI Hardening.md' -sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/apps/Docker and OCI Hardening.md' -sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/Docker and OCI Hardening.md' -sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/apps/Docker and OCI Hardening.md' -sed -i '/^tags:.*/a author: Wonderfall' './content/apps/Docker and OCI Hardening.md' +rm -rf './content/posts/linux/Docker and OCI Hardening.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md' +sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/posts/linux/Docker and OCI Hardening.md' +sed -i '/draft:.*/d' './content/posts/linux/Docker and OCI Hardening.md' +sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/posts/linux/Docker and OCI Hardening.md' +sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Docker and OCI Hardening.md' +sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/posts/linux/Docker and OCI Hardening.md' +sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Docker and OCI Hardening.md' #Securing OpenSSH with FIDO2 echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post" rm -rf './content/os/Securing OpenSSH with FIDO2.md' -curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/os/Securing OpenSSH with FIDO2.md' -sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/os/Securing OpenSSH with FIDO2.md' -sed -i '/draft:.*/d' './content/os/Securing OpenSSH with FIDO2.md' -sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/os/Securing OpenSSH with FIDO2.md' -sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/os/Securing OpenSSH with FIDO2.md' -sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/os/Securing OpenSSH with FIDO2.md' -sed -i '/^tags:.*/a author: Wonderfall' './content/os/Securing OpenSSH with FIDO2.md' +curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md' +sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/posts/linux/Securing OpenSSH with FIDO2.md' +sed -i '/draft:.*/d' './content/posts/linux/Securing OpenSSH with FIDO2.md' +sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/posts/linux/Securing OpenSSH with FIDO2.md' +sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Securing OpenSSH with FIDO2.md' +sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/posts/linux/Securing OpenSSH with FIDO2.md' +sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Securing OpenSSH with FIDO2.md' # Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown. # His GitHub repo: https://github.com/Seirdy/seirdy.one diff --git a/static/_headers b/static/_headers index 985e26e..183f8bf 100644 --- a/static/_headers +++ b/static/_headers @@ -12,19 +12,19 @@ Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://tommytran732.report-uri.com/a/d/g"}],"include_subdomains":true} NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true} -/knowledge/multi-factor-authentication/ +/posts/knowledge/multi-factor-authentication/ Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' -/os/android-tips/ +/posts/os/android-tips/ Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' -/os/choosing-your-android-based-operating-system/ +/posts/os/choosing-your-android-based-operating-system/ Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' -/os/choosing-your-desktop-linux-distribution/ +/posts/os/choosing-your-desktop-linux-distribution/ Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' -/os/desktop-linux-hardening/ +/posts/os/desktop-linux-hardening/ Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' /*.xml diff --git a/static/_redirects b/static/_redirects index d0440e4..e67c5a2 100644 --- a/static/_redirects +++ b/static/_redirects @@ -1,3 +1,26 @@ -/f-droid* /apps/f-droid-security-issues/ 301 -/banking* /apps/banking-applications-compatibility-with-grapheneos/ 301 -/apps/banking* /apps/banking-applications-compatibility-with-grapheneos/ 301 \ No newline at end of file +/os/android-tips/ /posts/android/android-tips/ 301 +/os/android-vpn-leakage* /posts/android/android-vpn-leakage-with-secondary-user-profiles/ 301 +/apps/banking* /posts/android/banking-applications-compatibility-with-grapheneos/ 301 +/os/choosing-your-android* /posts/android/choosing-your-android-based-operating-system/ 301 +/apps/f-droid* /posts/android/f-droid-security-issues/ 301 + +/knowledge/badness-enumeration/ /posts/knowledge/badness-enumeration/ 301 +/knowledge/commercial-vpn-use-cases/ /posts/proxies/commercial-vpn-use-cases/ 301 +/knowledge/floss-security/ /posts/knowledge/floss-security/ 301 +/knowledge/multi-factor-authentication/ /posts/knowledge/multi-factor-authentication/ 301 +/knowledge/threat-modeling/ /posts/kmowledge/threat-modeling/ 301 + +/os/choosing-your-desktop-linux* /posts/linux/choosing-your-desktop-linux-distribution/ 301 +/os/desktop-linux-hardening* /posts/linux/desktop-linux-hardening/ 301 +/apps/docker* /posts/linux/docker-and-oci-hardening/ 301 +/os/linux-insecurities* /posts/linux/linux-insecurities/ 301 +/os/networkmanager* /posts/linux/networkmanager-trackability-reduction/ 301 +/apps/protonvpn-ip* /posts/linux/protonvpn-ip-leakage-on-linux-and-workaround/ 301 +/os/securing-openssh-with-fido2* /posts/linux/securing-openssh-with-fido2/ 301 + +/apps/update-your-signal* /posts/proxies/update-your-signal-tls-proxy/ 301 + +/os/firewalling-with-mirageos* /posts/qubes/firewalling-with-mirageos-on-qubes-os/ 301 +/apps/using-lokinet-on-qubes-os* /posts/qubes/using-lokinet-on-qubes-os/ 301 +/apps/using-mullvad-vpn-on-qube* /posts/qubes/using-mullvad-vpn-on-qubes-os/ 301 +/os/using-split-gpg-and-split-ssh* /posts/qubes/using-split-gpg-and-split-ssh-on-qubes-os/ 301 diff --git a/static/images/ivpn-1.png b/static/images/ivpn-1.png new file mode 100644 index 0000000..d8a74c5 Binary files /dev/null and b/static/images/ivpn-1.png differ