mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-22 04:41:33 -05:00
Reorganize (#72)
* Reorganize Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
46501875be
commit
bf55611133
30
config.yml
30
config.yml
@ -51,8 +51,8 @@ params:
|
|||||||
url: code
|
url: code
|
||||||
- name: Privacy
|
- name: Privacy
|
||||||
url: privacy
|
url: privacy
|
||||||
- name: PGP
|
- name: Donate
|
||||||
url: https://tommytran.io/tommy.asc
|
url: donate
|
||||||
|
|
||||||
socialIcons:
|
socialIcons:
|
||||||
- name: github
|
- name: github
|
||||||
@ -106,30 +106,22 @@ markup:
|
|||||||
|
|
||||||
menu:
|
menu:
|
||||||
main:
|
main:
|
||||||
- identifier: Knowledge Base
|
- identifier: Categories
|
||||||
name: Knowledge Base
|
name: Categories
|
||||||
url: /knowledge/
|
url: /posts/
|
||||||
weight: 10
|
weight: 10
|
||||||
- identifier: Operating Systems
|
|
||||||
name: Operating Systems
|
|
||||||
url: /os/
|
|
||||||
weight: 20
|
|
||||||
- identifier: Applications
|
|
||||||
name: Applications
|
|
||||||
url: /apps/
|
|
||||||
weight: 30
|
|
||||||
- identifier: Search
|
- identifier: Search
|
||||||
name: Search
|
name: Search
|
||||||
url: /search/
|
url: /search/
|
||||||
weight: 40
|
weight: 20
|
||||||
- identifier: Tags
|
- identifier: Tags
|
||||||
name: Tags
|
name: Tags
|
||||||
url: /tags/
|
url: /tags/
|
||||||
weight: 50
|
weight: 30
|
||||||
- identifier: Donate
|
- identifier: PGP
|
||||||
name: Donate
|
name: PGP
|
||||||
url: /donate/
|
url: https://tommytran.io/tommy.asc
|
||||||
weight: 60
|
weight: 40
|
||||||
|
|
||||||
privacy:
|
privacy:
|
||||||
disqus:
|
disqus:
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
title: Applications
|
|
||||||
---
|
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
title: Knowledge Base
|
|
||||||
---
|
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
title: Operating Systems
|
|
||||||
---
|
|
7
content/posts/_index.md
Normal file
7
content/posts/_index.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
title: Categories
|
||||||
|
ShowReadingTime: false
|
||||||
|
ShowWordCount: false
|
||||||
|
---
|
||||||
|
|
||||||
|
Find the content you are looking for!
|
@ -32,7 +32,7 @@ You should also be very wary of low quality privacy branded phones like the Free
|
|||||||
|
|
||||||
In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits.
|
In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits.
|
||||||
|
|
||||||
I have written a detailed post on selecting your Android-based operating system, which you can find [here](../../os/choosing-your-android-based-operating-system).
|
I have written a detailed post on selecting your Android-based operating system, which you can find [here](/posts/os/choosing-your-android-based-operating-system).
|
||||||
|
|
||||||
**TLDR**: If you are using a modern Pixel, use [GrapheneOS](https://grapheneos.org). If you are on a device supported by [DivestOS](https://divestos.org), use DivestOS. Otherwise, stick to your stock operating system. Do not blindly use an OS just because it is advertised as "degoogled".
|
**TLDR**: If you are using a modern Pixel, use [GrapheneOS](https://grapheneos.org). If you are on a device supported by [DivestOS](https://divestos.org), use DivestOS. Otherwise, stick to your stock operating system. Do not blindly use an OS just because it is advertised as "degoogled".
|
||||||
|
|
||||||
@ -104,7 +104,7 @@ Multiple user profiles can be found in **Settings** → **System** → **Multipl
|
|||||||
|
|
||||||
With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.
|
With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.
|
||||||
|
|
||||||
Note that there is currently a [VPN leakage with secondary user profiles](/os/android-vpn-leakage-with-secondary-user-profiles).
|
Note that there is currently a [VPN leakage with secondary user profiles](/posts/os/android-vpn-leakage-with-secondary-user-profiles).
|
||||||
|
|
||||||
## Work Profile
|
## Work Profile
|
||||||
|
|
||||||
@ -136,6 +136,10 @@ I have seen several common suggestions in the privacy community to mitigate this
|
|||||||
|
|
||||||
- **Using PGPP as a carrier**: The service randomizes your IMSI by regularly reprovisioning your eSIM. However, the IMEI broadcasted by the baseband modem would remain unchanged, allowing the carriers to track you anyways.
|
- **Using PGPP as a carrier**: The service randomizes your IMSI by regularly reprovisioning your eSIM. However, the IMEI broadcasted by the baseband modem would remain unchanged, allowing the carriers to track you anyways.
|
||||||
|
|
||||||
|
## SMS App
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Where to Get Your Applications
|
## Where to Get Your Applications
|
||||||
|
|
||||||
### GrapheneOS App Store
|
### GrapheneOS App Store
|
||||||
@ -150,7 +154,7 @@ My recommendation is to stick with the Google Play Store unless your threat mode
|
|||||||
|
|
||||||
### F-Droid
|
### F-Droid
|
||||||
|
|
||||||
F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them [here](/apps/f-droid-security-issues/).
|
F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them [here](/posts/android/f-droid-security-issues/).
|
||||||
|
|
||||||
I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as [NeoStore](https://github.com/NeoApplications/Neo-Store). You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead.
|
I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as [NeoStore](https://github.com/NeoApplications/Neo-Store). You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead.
|
||||||
|
|
||||||
@ -183,7 +187,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr
|
|||||||
|
|
||||||
The Advanced Protection Program provides enhanced threat monitoring and enables:
|
The Advanced Protection Program provides enhanced threat monitoring and enables:
|
||||||
|
|
||||||
- Stricter two factor authentication; e.g. that [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) **must** be used and disallows the use of [SMS OTP](/knowledge/multi-factor-authentication/#fido2-fast-identity-online), [TOTP](/knowledge/multi-factor-authentication/#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth)
|
- Stricter two factor authentication; e.g. that [FIDO2](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online) **must** be used and disallows the use of [SMS OTP](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online), [TOTP](/posts/knowledge/multi-factor-authentication/#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth)
|
||||||
- Only Google and verified third-party apps can access account data
|
- Only Google and verified third-party apps can access account data
|
||||||
- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
|
- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
|
||||||
- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
|
- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome
|
@ -17,7 +17,7 @@ You can reproduce the leak by doing the following:
|
|||||||
|
|
||||||
1. Create a new user profile (you need to create a secondary user profile for this, as it is not reproducible on your owner profile or a work profile). Do not log into your Google account at this stage.
|
1. Create a new user profile (you need to create a secondary user profile for this, as it is not reproducible on your owner profile or a work profile). Do not log into your Google account at this stage.
|
||||||
2. Sideload a VPN app. The leak happens with every VPN provider I have tried (since it is likely a platform issue), though if you do not have a VPN subscription I would recommend getting a free one with [ProtonVPN](https://protonvpn.com).
|
2. Sideload a VPN app. The leak happens with every VPN provider I have tried (since it is likely a platform issue), though if you do not have a VPN subscription I would recommend getting a free one with [ProtonVPN](https://protonvpn.com).
|
||||||
3. Setup the VPN and the [Android VPN killswitch](/os/android-tips/#enable-vpn-killswitch).
|
3. Setup the VPN and the [Android VPN killswitch](/posts/os/android-tips/#enable-vpn-killswitch).
|
||||||
4. Log into your Google account through Play Services.
|
4. Log into your Google account through Play Services.
|
||||||
5. Restart the phone. Open the secondary user profile again.
|
5. Restart the phone. Open the secondary user profile again.
|
||||||
6. Go to Google's [My Devices](https://myaccount.google.com/device-activity) page. Observe that one of the sessions for your phone has your actual location obtained with GeoIP. In some cases, your actual IP address will be shown there as well.
|
6. Go to Google's [My Devices](https://myaccount.google.com/device-activity) page. Observe that one of the sessions for your phone has your actual location obtained with GeoIP. In some cases, your actual IP address will be shown there as well.
|
@ -51,7 +51,7 @@ Some Android-based operating systems, including ones like CalyxOS, often fall be
|
|||||||
|
|
||||||
### User Builds
|
### User Builds
|
||||||
|
|
||||||
As mentioned [above](/os/choosing-your-android-based-operating-system/), `userdebug` builds expose root over ADB and require more permissive SELinux policies to accommodate debugging features. `userdebug` builds violate the Android security model and are really only meant for developers to test out their android builds during development.
|
As mentioned [above](/posts/os/choosing-your-android-based-operating-system/), `userdebug` builds expose root over ADB and require more permissive SELinux policies to accommodate debugging features. `userdebug` builds violate the Android security model and are really only meant for developers to test out their android builds during development.
|
||||||
|
|
||||||
End users should be using the production `user` builds, and any distributions that fail to deliver them like LineageOS or /e/ OS should be avoided.
|
End users should be using the production `user` builds, and any distributions that fail to deliver them like LineageOS or /e/ OS should be avoided.
|
||||||
|
|
||||||
@ -76,7 +76,7 @@ Currently, I am only aware of two Android-based operating systems that should be
|
|||||||
|
|
||||||
{{< youtube id="hx2eiPTe7Zg">}}
|
{{< youtube id="hx2eiPTe7Zg">}}
|
||||||
|
|
||||||
For usability purposes, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific work profile or user profile of your choice. Most interestingly, the [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html), [Google Play Games](https://play.google.com/googleplaygames), [Play Asset Delivery](https://developer.android.com/guide/playcore/asset-delivery), [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) all work exceptionally well. Most [Advanced Protection Program](https://landing.google.com/advancedprotection/) features, except for [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en) and restricted app installation, also work.
|
For usability purposes, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific work profile or user profile of your choice. Most interestingly, the [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html), [Google Play Games](https://play.google.com/googleplaygames), [Play Asset Delivery](https://developer.android.com/guide/playcore/asset-delivery), [FIDO2](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online) all work exceptionally well. Most [Advanced Protection Program](https://landing.google.com/advancedprotection/) features, except for [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en) and restricted app installation, also work.
|
||||||
|
|
||||||
Because GrapheneOS does not grant any Google Apps and Services apart from the opt-in eSIM action app privileged access to the system, Play Protect cannot disable or uninstall known malicious applications when it detects them. As for restricted app installation, this feature is not that useful on stock operating system anyways, since it is bypassable with `adb push`.
|
Because GrapheneOS does not grant any Google Apps and Services apart from the opt-in eSIM action app privileged access to the system, Play Protect cannot disable or uninstall known malicious applications when it detects them. As for restricted app installation, this feature is not that useful on stock operating system anyways, since it is bypassable with `adb push`.
|
||||||
|
|
7
content/posts/android/_index.md
Normal file
7
content/posts/android/_index.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
title: Android
|
||||||
|
ShowReadingTime: false
|
||||||
|
ShowWordCount: false
|
||||||
|
---
|
||||||
|
|
||||||
|
A collection of posts about Android and related applications
|
7
content/posts/knowledge/_index.md
Normal file
7
content/posts/knowledge/_index.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
title: Knowledge Base
|
||||||
|
ShowReadingTime: false
|
||||||
|
ShowWordCount: false
|
||||||
|
---
|
||||||
|
|
||||||
|
A collection of posts about general privacy and security knowledge
|
@ -5,7 +5,7 @@ tags: ['Operating Systems', 'Linux', 'Privacy', 'Security']
|
|||||||
author: Tommy
|
author: Tommy
|
||||||
---
|
---
|
||||||
|
|
||||||
Linux is [not](/os/linux-insecurities) a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy.
|
Linux is [not](/posts/os/linux-insecurities) a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy.
|
||||||
|
|
||||||
**Before We Start**...
|
**Before We Start**...
|
||||||
|
|
||||||
@ -33,7 +33,7 @@ Depending on your distribution, encrypted swap may be automatically set up if yo
|
|||||||
|
|
||||||
Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) by default to configure Ethernet and Wi-Fi settings.
|
Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) by default to configure Ethernet and Wi-Fi settings.
|
||||||
|
|
||||||
WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out.
|
WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/posts/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out.
|
||||||
|
|
||||||
In short, if you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf`:
|
In short, if you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf`:
|
||||||
```
|
```
|
||||||
@ -68,7 +68,7 @@ Note that randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi card
|
|||||||
|
|
||||||
### Other Identifiers
|
### Other Identifiers
|
||||||
|
|
||||||
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/knowledge/threat-modeling/):
|
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/posts/knowledge/threat-modeling/):
|
||||||
|
|
||||||
- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
|
- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
|
||||||
- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id).
|
- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id).
|
||||||
@ -87,7 +87,7 @@ Zorin OS uses the `zorin-os-cencus` package, which also uses a [unique ID](https
|
|||||||
|
|
||||||
[Snapd](https://github.com/snapcore/snapd) assigns a [unique ID](https://snapcraft.io/docs/snap-store-metrics) to your snapd installation and use it for telemetry. While this is generally not a problem, if your threat model calls for anonymity, you should not be using snap packages, and you should remove snapd from your Ubuntu installation. Like with Zorin Census, on Debian based distributions, and especially Ubuntu, consider holding `snapd` with `sudo apt-mark hold snapd`.
|
[Snapd](https://github.com/snapcore/snapd) assigns a [unique ID](https://snapcraft.io/docs/snap-store-metrics) to your snapd installation and use it for telemetry. While this is generally not a problem, if your threat model calls for anonymity, you should not be using snap packages, and you should remove snapd from your Ubuntu installation. Like with Zorin Census, on Debian based distributions, and especially Ubuntu, consider holding `snapd` with `sudo apt-mark hold snapd`.
|
||||||
|
|
||||||
Of course, this is a non-exhaustive list of how different Linux distributions do this. If you are aware of any other tracking mechanisms that different distributions use, feel free to make a [pull request](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/os/Linux-Desktop-Hardening.md) or [discussion post](https://github.com/PrivSec-dev/privsec.dev/discussions) detailing them!
|
Of course, this is a non-exhaustive list of how different Linux distributions do this. If you are aware of any other tracking mechanisms that different distributions use, feel free to make a [pull request](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/posts/linux/Linux-Desktop-Hardening.md) or [discussion post](https://github.com/PrivSec-dev/privsec.dev/discussions) detailing them!
|
||||||
|
|
||||||
### Keystroke Anonymization
|
### Keystroke Anonymization
|
||||||
You could be [fingerprinted based on soft biometric traits](https://www.whonix.org/wiki/Keystroke_Deanonymization) when you use the keyboard. The [Kloak](https://github.com/vmonaco/kloak) package could help you mitigate this threat. It is available as a .deb package from [Kicksecure's repository](https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts) and an [AUR package](https://aur.archlinux.org/packages/kloak-git).
|
You could be [fingerprinted based on soft biometric traits](https://www.whonix.org/wiki/Keystroke_Deanonymization) when you use the keyboard. The [Kloak](https://github.com/vmonaco/kloak) package could help you mitigate this threat. It is available as a .deb package from [Kicksecure's repository](https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts) and an [AUR package](https://aur.archlinux.org/packages/kloak-git).
|
||||||
@ -171,7 +171,7 @@ You can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles,
|
|||||||
|
|
||||||
If you’re running a server, you may have heard of Linux Containers. They are more common in server environments where individual services are built to operate independently. However, you may sometimes see them on desktop systems as well, especially for development purposes.
|
If you’re running a server, you may have heard of Linux Containers. They are more common in server environments where individual services are built to operate independently. However, you may sometimes see them on desktop systems as well, especially for development purposes.
|
||||||
|
|
||||||
[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/apps/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on.
|
[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/posts/apps/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on.
|
||||||
|
|
||||||
Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.
|
Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.
|
||||||
|
|
@ -47,7 +47,7 @@ The only way to systematically fix this problem is to design a whole new system
|
|||||||
|
|
||||||
## But Linux is open source!
|
## But Linux is open source!
|
||||||
|
|
||||||
Something being open source does not imply that it is inherently private, secure, or trustworthy. I recommend reading the [FLOSS Security](/knowledge/floss-security) post by [Rohan Kumar](https://seirdy.one/posts/2022/02/02/floss-security/).
|
Something being open source does not imply that it is inherently private, secure, or trustworthy. I recommend reading the [FLOSS Security](/posts/knowledge/floss-security) post by [Rohan Kumar](https://seirdy.one/posts/2022/02/02/floss-security/).
|
||||||
|
|
||||||
## But there is less malware on Linux!
|
## But there is less malware on Linux!
|
||||||
|
|
7
content/posts/linux/_index.md
Normal file
7
content/posts/linux/_index.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
title: Linux
|
||||||
|
ShowReadingTime: false
|
||||||
|
ShowWordCount: false
|
||||||
|
---
|
||||||
|
|
||||||
|
A collection of posts about Linux and related applications
|
7
content/posts/proxies/_index.md
Normal file
7
content/posts/proxies/_index.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
title: Proxies
|
||||||
|
ShowReadingTime: false
|
||||||
|
ShowWordCount: false
|
||||||
|
---
|
||||||
|
|
||||||
|
A collection of posts about proxies
|
@ -33,11 +33,11 @@ EOF
|
|||||||
Inside of the TemplateVM you have just created, do the following:
|
Inside of the TemplateVM you have just created, do the following:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.4_x86_64.rpm
|
sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm
|
||||||
sudo systemctl enable mullvad-daemon
|
sudo systemctl enable mullvad-daemon
|
||||||
```
|
```
|
||||||
|
|
||||||
Replace `https://mullvad.net/media/app/MullvadVPN-2022.4_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/).
|
Replace `https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/).
|
||||||
|
|
||||||
![Mullvad VPN URL](/images/mullvad-vpn-2.png)
|
![Mullvad VPN URL](/images/mullvad-vpn-2.png)
|
||||||
|
|
||||||
@ -66,6 +66,6 @@ You can now use this ProxyVM as the net qube for other qubes!
|
|||||||
|
|
||||||
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.
|
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.
|
||||||
|
|
||||||
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
|
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
|
||||||
|
|
||||||
![MirageOS](/images/mirageos.png)
|
![MirageOS](/images/mirageos.png)
|
7
content/posts/qubes/_index.md
Normal file
7
content/posts/qubes/_index.md
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
title: Qubes OS
|
||||||
|
ShowReadingTime: false
|
||||||
|
ShowWordCount: false
|
||||||
|
---
|
||||||
|
|
||||||
|
A collection of posts about Qubes OS and related applications
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
title: Providers
|
|
||||||
---
|
|
@ -2,37 +2,37 @@
|
|||||||
|
|
||||||
#F-Droid Security Analysis
|
#F-Droid Security Analysis
|
||||||
echo "Fetching and Modifying the F-Droid Security Issues post"
|
echo "Fetching and Modifying the F-Droid Security Issues post"
|
||||||
rm -rf './content/apps/F-Droid Security Issues.md'
|
rm -rf './content/posts/android/F-Droid Security Issues.md'
|
||||||
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/fdroid-issues.md -o './content/apps/F-Droid Security Issues.md'
|
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/fdroid-issues.md -o './content/posts/android/F-Droid Security Issues.md'
|
||||||
sed -i 's/title:.*/title: "F-Droid Security Issues"/' './content/apps/F-Droid Security Issues.md'
|
sed -i 's/title:.*/title: "F-Droid Security Issues"/' './content/posts/android/F-Droid Security Issues.md'
|
||||||
sed -i '/draft:.*/d' './content/apps/F-Droid Security Issues.md'
|
sed -i '/draft:.*/d' './content/posts/android/F-Droid Security Issues.md'
|
||||||
sed -i "s/tags:.*/tags: ['Applications', 'Android', 'Security']/" './content/apps/F-Droid Security Issues.md'
|
sed -i "s/tags:.*/tags: ['Applications', 'Android', 'Security']/" './content/posts/android/F-Droid Security Issues.md'
|
||||||
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/F-Droid Security Issues.md'
|
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/android/F-Droid Security Issues.md'
|
||||||
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/fdroid-issues' './content/apps/F-Droid Security Issues.md'
|
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/fdroid-issues' './content/posts/android/F-Droid Security Issues.md'
|
||||||
sed -i '/^tags:.*/a author: Wonderfall' './content/apps/F-Droid Security Issues.md'
|
sed -i '/^tags:.*/a author: Wonderfall' './content/posts/android/F-Droid Security Issues.md'
|
||||||
|
|
||||||
|
|
||||||
#Docker and OCI Hardening
|
#Docker and OCI Hardening
|
||||||
echo "Fetching and Modifying the Docker and OCI Hardening post"
|
echo "Fetching and Modifying the Docker and OCI Hardening post"
|
||||||
rm -rf './content/apps/Docker and OCI Hardening.md'
|
rm -rf './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/apps/Docker and OCI Hardening.md'
|
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/apps/Docker and OCI Hardening.md'
|
sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
sed -i '/draft:.*/d' './content/apps/Docker and OCI Hardening.md'
|
sed -i '/draft:.*/d' './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/apps/Docker and OCI Hardening.md'
|
sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/Docker and OCI Hardening.md'
|
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/apps/Docker and OCI Hardening.md'
|
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
sed -i '/^tags:.*/a author: Wonderfall' './content/apps/Docker and OCI Hardening.md'
|
sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Docker and OCI Hardening.md'
|
||||||
|
|
||||||
#Securing OpenSSH with FIDO2
|
#Securing OpenSSH with FIDO2
|
||||||
echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"
|
echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"
|
||||||
rm -rf './content/os/Securing OpenSSH with FIDO2.md'
|
rm -rf './content/os/Securing OpenSSH with FIDO2.md'
|
||||||
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/os/Securing OpenSSH with FIDO2.md'
|
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/os/Securing OpenSSH with FIDO2.md'
|
sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
sed -i '/draft:.*/d' './content/os/Securing OpenSSH with FIDO2.md'
|
sed -i '/draft:.*/d' './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/os/Securing OpenSSH with FIDO2.md'
|
sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/os/Securing OpenSSH with FIDO2.md'
|
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/os/Securing OpenSSH with FIDO2.md'
|
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
sed -i '/^tags:.*/a author: Wonderfall' './content/os/Securing OpenSSH with FIDO2.md'
|
sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Securing OpenSSH with FIDO2.md'
|
||||||
|
|
||||||
# Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown.
|
# Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown.
|
||||||
# His GitHub repo: https://github.com/Seirdy/seirdy.one
|
# His GitHub repo: https://github.com/Seirdy/seirdy.one
|
||||||
|
@ -12,19 +12,19 @@
|
|||||||
Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://tommytran732.report-uri.com/a/d/g"}],"include_subdomains":true}
|
Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://tommytran732.report-uri.com/a/d/g"}],"include_subdomains":true}
|
||||||
NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true}
|
NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true}
|
||||||
|
|
||||||
/knowledge/multi-factor-authentication/
|
/posts/knowledge/multi-factor-authentication/
|
||||||
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
||||||
|
|
||||||
/os/android-tips/
|
/posts/os/android-tips/
|
||||||
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
||||||
|
|
||||||
/os/choosing-your-android-based-operating-system/
|
/posts/os/choosing-your-android-based-operating-system/
|
||||||
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
||||||
|
|
||||||
/os/choosing-your-desktop-linux-distribution/
|
/posts/os/choosing-your-desktop-linux-distribution/
|
||||||
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
||||||
|
|
||||||
/os/desktop-linux-hardening/
|
/posts/os/desktop-linux-hardening/
|
||||||
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
|
||||||
|
|
||||||
/*.xml
|
/*.xml
|
||||||
|
@ -1,3 +1,26 @@
|
|||||||
/f-droid* /apps/f-droid-security-issues/ 301
|
/os/android-tips/ /posts/android/android-tips/ 301
|
||||||
/banking* /apps/banking-applications-compatibility-with-grapheneos/ 301
|
/os/android-vpn-leakage* /posts/android/android-vpn-leakage-with-secondary-user-profiles/ 301
|
||||||
/apps/banking* /apps/banking-applications-compatibility-with-grapheneos/ 301
|
/apps/banking* /posts/android/banking-applications-compatibility-with-grapheneos/ 301
|
||||||
|
/os/choosing-your-android* /posts/android/choosing-your-android-based-operating-system/ 301
|
||||||
|
/apps/f-droid* /posts/android/f-droid-security-issues/ 301
|
||||||
|
|
||||||
|
/knowledge/badness-enumeration/ /posts/knowledge/badness-enumeration/ 301
|
||||||
|
/knowledge/commercial-vpn-use-cases/ /posts/proxies/commercial-vpn-use-cases/ 301
|
||||||
|
/knowledge/floss-security/ /posts/knowledge/floss-security/ 301
|
||||||
|
/knowledge/multi-factor-authentication/ /posts/knowledge/multi-factor-authentication/ 301
|
||||||
|
/knowledge/threat-modeling/ /posts/kmowledge/threat-modeling/ 301
|
||||||
|
|
||||||
|
/os/choosing-your-desktop-linux* /posts/linux/choosing-your-desktop-linux-distribution/ 301
|
||||||
|
/os/desktop-linux-hardening* /posts/linux/desktop-linux-hardening/ 301
|
||||||
|
/apps/docker* /posts/linux/docker-and-oci-hardening/ 301
|
||||||
|
/os/linux-insecurities* /posts/linux/linux-insecurities/ 301
|
||||||
|
/os/networkmanager* /posts/linux/networkmanager-trackability-reduction/ 301
|
||||||
|
/apps/protonvpn-ip* /posts/linux/protonvpn-ip-leakage-on-linux-and-workaround/ 301
|
||||||
|
/os/securing-openssh-with-fido2* /posts/linux/securing-openssh-with-fido2/ 301
|
||||||
|
|
||||||
|
/apps/update-your-signal* /posts/proxies/update-your-signal-tls-proxy/ 301
|
||||||
|
|
||||||
|
/os/firewalling-with-mirageos* /posts/qubes/firewalling-with-mirageos-on-qubes-os/ 301
|
||||||
|
/apps/using-lokinet-on-qubes-os* /posts/qubes/using-lokinet-on-qubes-os/ 301
|
||||||
|
/apps/using-mullvad-vpn-on-qube* /posts/qubes/using-mullvad-vpn-on-qubes-os/ 301
|
||||||
|
/os/using-split-gpg-and-split-ssh* /posts/qubes/using-split-gpg-and-split-ssh-on-qubes-os/ 301
|
||||||
|
BIN
static/images/ivpn-1.png
Normal file
BIN
static/images/ivpn-1.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 78 KiB |
Loading…
Reference in New Issue
Block a user