1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Reorganize (#72)

* Reorganize

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-10-17 05:30:43 -04:00 committed by GitHub
parent 46501875be
commit bf55611133
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 127 additions and 78 deletions

View File

@ -51,8 +51,8 @@ params:
url: code url: code
- name: Privacy - name: Privacy
url: privacy url: privacy
- name: PGP - name: Donate
url: https://tommytran.io/tommy.asc url: donate
socialIcons: socialIcons:
- name: github - name: github
@ -106,30 +106,22 @@ markup:
menu: menu:
main: main:
- identifier: Knowledge Base - identifier: Categories
name: Knowledge Base name: Categories
url: /knowledge/ url: /posts/
weight: 10 weight: 10
- identifier: Operating Systems
name: Operating Systems
url: /os/
weight: 20
- identifier: Applications
name: Applications
url: /apps/
weight: 30
- identifier: Search - identifier: Search
name: Search name: Search
url: /search/ url: /search/
weight: 40 weight: 20
- identifier: Tags - identifier: Tags
name: Tags name: Tags
url: /tags/ url: /tags/
weight: 50 weight: 30
- identifier: Donate - identifier: PGP
name: Donate name: PGP
url: /donate/ url: https://tommytran.io/tommy.asc
weight: 60 weight: 40
privacy: privacy:
disqus: disqus:

View File

@ -1,3 +0,0 @@
---
title: Applications
---

View File

@ -1,3 +0,0 @@
---
title: Knowledge Base
---

View File

@ -1,3 +0,0 @@
---
title: Operating Systems
---

7
content/posts/_index.md Normal file
View File

@ -0,0 +1,7 @@
---
title: Categories
ShowReadingTime: false
ShowWordCount: false
---
Find the content you are looking for!

View File

@ -32,7 +32,7 @@ You should also be very wary of low quality privacy branded phones like the Free
In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits. In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits.
I have written a detailed post on selecting your Android-based operating system, which you can find [here](../../os/choosing-your-android-based-operating-system). I have written a detailed post on selecting your Android-based operating system, which you can find [here](/posts/os/choosing-your-android-based-operating-system).
**TLDR**: If you are using a modern Pixel, use [GrapheneOS](https://grapheneos.org). If you are on a device supported by [DivestOS](https://divestos.org), use DivestOS. Otherwise, stick to your stock operating system. Do not blindly use an OS just because it is advertised as "degoogled". **TLDR**: If you are using a modern Pixel, use [GrapheneOS](https://grapheneos.org). If you are on a device supported by [DivestOS](https://divestos.org), use DivestOS. Otherwise, stick to your stock operating system. Do not blindly use an OS just because it is advertised as "degoogled".
@ -104,7 +104,7 @@ Multiple user profiles can be found in **Settings** → **System** → **Multipl
With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation.
Note that there is currently a [VPN leakage with secondary user profiles](/os/android-vpn-leakage-with-secondary-user-profiles). Note that there is currently a [VPN leakage with secondary user profiles](/posts/os/android-vpn-leakage-with-secondary-user-profiles).
## Work Profile ## Work Profile
@ -136,6 +136,10 @@ I have seen several common suggestions in the privacy community to mitigate this
- **Using PGPP as a carrier**: The service randomizes your IMSI by regularly reprovisioning your eSIM. However, the IMEI broadcasted by the baseband modem would remain unchanged, allowing the carriers to track you anyways. - **Using PGPP as a carrier**: The service randomizes your IMSI by regularly reprovisioning your eSIM. However, the IMEI broadcasted by the baseband modem would remain unchanged, allowing the carriers to track you anyways.
## SMS App
## Where to Get Your Applications ## Where to Get Your Applications
### GrapheneOS App Store ### GrapheneOS App Store
@ -150,7 +154,7 @@ My recommendation is to stick with the Google Play Store unless your threat mode
### F-Droid ### F-Droid
F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them [here](/apps/f-droid-security-issues/). F-Droid, despite being often recommended in the privacy community, has various security deficiencies. You can read more about them [here](/posts/android/f-droid-security-issues/).
I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as [NeoStore](https://github.com/NeoApplications/Neo-Store). You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead. I do not recommend that you use F-Droid at all unless you have no other choice to obtain certain apps. In some rare cases, there may be some apps which require the F-Droid version to work properly without Google Play Services. If you do end up using F-Droid, I highly recommend that you avoid the official F-Droid client (which is extremely outdated and targets API level 25) and use a more modern client with seamless updates such as [NeoStore](https://github.com/NeoApplications/Neo-Store). You should also avoid using the official F-Droid repository as much as possible and stick to the F-Droid repositories hosted by the app developers instead.
@ -183,7 +187,7 @@ If you have a Google account we suggest enrolling in the [Advanced Protection Pr
The Advanced Protection Program provides enhanced threat monitoring and enables: The Advanced Protection Program provides enhanced threat monitoring and enables:
- Stricter two factor authentication; e.g. that [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) **must** be used and disallows the use of [SMS OTP](/knowledge/multi-factor-authentication/#fido2-fast-identity-online), [TOTP](/knowledge/multi-factor-authentication/#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) - Stricter two factor authentication; e.g. that [FIDO2](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online) **must** be used and disallows the use of [SMS OTP](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online), [TOTP](/posts/knowledge/multi-factor-authentication/#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth)
- Only Google and verified third-party apps can access account data - Only Google and verified third-party apps can access account data
- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts - Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts
- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome - Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome

View File

@ -17,7 +17,7 @@ You can reproduce the leak by doing the following:
1. Create a new user profile (you need to create a secondary user profile for this, as it is not reproducible on your owner profile or a work profile). Do not log into your Google account at this stage. 1. Create a new user profile (you need to create a secondary user profile for this, as it is not reproducible on your owner profile or a work profile). Do not log into your Google account at this stage.
2. Sideload a VPN app. The leak happens with every VPN provider I have tried (since it is likely a platform issue), though if you do not have a VPN subscription I would recommend getting a free one with [ProtonVPN](https://protonvpn.com). 2. Sideload a VPN app. The leak happens with every VPN provider I have tried (since it is likely a platform issue), though if you do not have a VPN subscription I would recommend getting a free one with [ProtonVPN](https://protonvpn.com).
3. Setup the VPN and the [Android VPN killswitch](/os/android-tips/#enable-vpn-killswitch). 3. Setup the VPN and the [Android VPN killswitch](/posts/os/android-tips/#enable-vpn-killswitch).
4. Log into your Google account through Play Services. 4. Log into your Google account through Play Services.
5. Restart the phone. Open the secondary user profile again. 5. Restart the phone. Open the secondary user profile again.
6. Go to Google's [My Devices](https://myaccount.google.com/device-activity) page. Observe that one of the sessions for your phone has your actual location obtained with GeoIP. In some cases, your actual IP address will be shown there as well. 6. Go to Google's [My Devices](https://myaccount.google.com/device-activity) page. Observe that one of the sessions for your phone has your actual location obtained with GeoIP. In some cases, your actual IP address will be shown there as well.

View File

@ -51,7 +51,7 @@ Some Android-based operating systems, including ones like CalyxOS, often fall be
### User Builds ### User Builds
As mentioned [above](/os/choosing-your-android-based-operating-system/), `userdebug` builds expose root over ADB and require more permissive SELinux policies to accommodate debugging features. `userdebug` builds violate the Android security model and are really only meant for developers to test out their android builds during development. As mentioned [above](/posts/os/choosing-your-android-based-operating-system/), `userdebug` builds expose root over ADB and require more permissive SELinux policies to accommodate debugging features. `userdebug` builds violate the Android security model and are really only meant for developers to test out their android builds during development.
End users should be using the production `user` builds, and any distributions that fail to deliver them like LineageOS or /e/ OS should be avoided. End users should be using the production `user` builds, and any distributions that fail to deliver them like LineageOS or /e/ OS should be avoided.
@ -76,7 +76,7 @@ Currently, I am only aware of two Android-based operating systems that should be
{{< youtube id="hx2eiPTe7Zg">}} {{< youtube id="hx2eiPTe7Zg">}}
For usability purposes, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific work profile or user profile of your choice. Most interestingly, the [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html), [Google Play Games](https://play.google.com/googleplaygames), [Play Asset Delivery](https://developer.android.com/guide/playcore/asset-delivery), [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) all work exceptionally well. Most [Advanced Protection Program](https://landing.google.com/advancedprotection/) features, except for [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en) and restricted app installation, also work. For usability purposes, GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific work profile or user profile of your choice. Most interestingly, the [In-app Billing API](https://android-doc.github.io/google/play/billing/api.html), [Google Play Games](https://play.google.com/googleplaygames), [Play Asset Delivery](https://developer.android.com/guide/playcore/asset-delivery), [FIDO2](/posts/knowledge/multi-factor-authentication/#fido2-fast-identity-online) all work exceptionally well. Most [Advanced Protection Program](https://landing.google.com/advancedprotection/) features, except for [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en) and restricted app installation, also work.
Because GrapheneOS does not grant any Google Apps and Services apart from the opt-in eSIM action app privileged access to the system, Play Protect cannot disable or uninstall known malicious applications when it detects them. As for restricted app installation, this feature is not that useful on stock operating system anyways, since it is bypassable with `adb push`. Because GrapheneOS does not grant any Google Apps and Services apart from the opt-in eSIM action app privileged access to the system, Play Protect cannot disable or uninstall known malicious applications when it detects them. As for restricted app installation, this feature is not that useful on stock operating system anyways, since it is bypassable with `adb push`.

View File

@ -0,0 +1,7 @@
---
title: Android
ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about Android and related applications

View File

@ -0,0 +1,7 @@
---
title: Knowledge Base
ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about general privacy and security knowledge

View File

@ -5,7 +5,7 @@ tags: ['Operating Systems', 'Linux', 'Privacy', 'Security']
author: Tommy author: Tommy
--- ---
Linux is [not](/os/linux-insecurities) a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy. Linux is [not](/posts/os/linux-insecurities) a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy.
**Before We Start**... **Before We Start**...
@ -33,7 +33,7 @@ Depending on your distribution, encrypted swap may be automatically set up if yo
Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) by default to configure Ethernet and Wi-Fi settings. Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager) by default to configure Ethernet and Wi-Fi settings.
WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out. WfKe9vLwSvv7rN has detailed guide on [trackability reduction with NetworkManager](/posts/os/networkmanager-trackability-reduction/) and I highly recommend that you check it out.
In short, if you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf`: In short, if you use NetworkManager, add the following to your `/etc/NetworkManager/conf.d/00-macrandomize.conf`:
``` ```
@ -68,7 +68,7 @@ Note that randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi card
### Other Identifiers ### Other Identifiers
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/knowledge/threat-modeling/): There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](/posts/knowledge/threat-modeling/):
- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. - **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). - **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id).
@ -87,7 +87,7 @@ Zorin OS uses the `zorin-os-cencus` package, which also uses a [unique ID](https
[Snapd](https://github.com/snapcore/snapd) assigns a [unique ID](https://snapcraft.io/docs/snap-store-metrics) to your snapd installation and use it for telemetry. While this is generally not a problem, if your threat model calls for anonymity, you should not be using snap packages, and you should remove snapd from your Ubuntu installation. Like with Zorin Census, on Debian based distributions, and especially Ubuntu, consider holding `snapd` with `sudo apt-mark hold snapd`. [Snapd](https://github.com/snapcore/snapd) assigns a [unique ID](https://snapcraft.io/docs/snap-store-metrics) to your snapd installation and use it for telemetry. While this is generally not a problem, if your threat model calls for anonymity, you should not be using snap packages, and you should remove snapd from your Ubuntu installation. Like with Zorin Census, on Debian based distributions, and especially Ubuntu, consider holding `snapd` with `sudo apt-mark hold snapd`.
Of course, this is a non-exhaustive list of how different Linux distributions do this. If you are aware of any other tracking mechanisms that different distributions use, feel free to make a [pull request](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/os/Linux-Desktop-Hardening.md) or [discussion post](https://github.com/PrivSec-dev/privsec.dev/discussions) detailing them! Of course, this is a non-exhaustive list of how different Linux distributions do this. If you are aware of any other tracking mechanisms that different distributions use, feel free to make a [pull request](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/posts/linux/Linux-Desktop-Hardening.md) or [discussion post](https://github.com/PrivSec-dev/privsec.dev/discussions) detailing them!
### Keystroke Anonymization ### Keystroke Anonymization
You could be [fingerprinted based on soft biometric traits](https://www.whonix.org/wiki/Keystroke_Deanonymization) when you use the keyboard. The [Kloak](https://github.com/vmonaco/kloak) package could help you mitigate this threat. It is available as a .deb package from [Kicksecure's repository](https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts) and an [AUR package](https://aur.archlinux.org/packages/kloak-git). You could be [fingerprinted based on soft biometric traits](https://www.whonix.org/wiki/Keystroke_Deanonymization) when you use the keyboard. The [Kloak](https://github.com/vmonaco/kloak) package could help you mitigate this threat. It is available as a .deb package from [Kicksecure's repository](https://www.kicksecure.com/wiki/Packages_for_Debian_Hosts) and an [AUR package](https://aur.archlinux.org/packages/kloak-git).
@ -171,7 +171,7 @@ You can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles,
If youre running a server, you may have heard of Linux Containers. They are more common in server environments where individual services are built to operate independently. However, you may sometimes see them on desktop systems as well, especially for development purposes. If youre running a server, you may have heard of Linux Containers. They are more common in server environments where individual services are built to operate independently. However, you may sometimes see them on desktop systems as well, especially for development purposes.
[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/apps/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on. [Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/posts/apps/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on.
Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host. Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.

View File

@ -47,7 +47,7 @@ The only way to systematically fix this problem is to design a whole new system
## But Linux is open source! ## But Linux is open source!
Something being open source does not imply that it is inherently private, secure, or trustworthy. I recommend reading the [FLOSS Security](/knowledge/floss-security) post by [Rohan Kumar](https://seirdy.one/posts/2022/02/02/floss-security/). Something being open source does not imply that it is inherently private, secure, or trustworthy. I recommend reading the [FLOSS Security](/posts/knowledge/floss-security) post by [Rohan Kumar](https://seirdy.one/posts/2022/02/02/floss-security/).
## But there is less malware on Linux! ## But there is less malware on Linux!

View File

@ -0,0 +1,7 @@
---
title: Linux
ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about Linux and related applications

View File

@ -0,0 +1,7 @@
---
title: Proxies
ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about proxies

View File

@ -33,11 +33,11 @@ EOF
Inside of the TemplateVM you have just created, do the following: Inside of the TemplateVM you have just created, do the following:
```bash ```bash
sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.4_x86_64.rpm sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm
sudo systemctl enable mullvad-daemon sudo systemctl enable mullvad-daemon
``` ```
Replace `https://mullvad.net/media/app/MullvadVPN-2022.4_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/). Replace `https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/).
![Mullvad VPN URL](/images/mullvad-vpn-2.png) ![Mullvad VPN URL](/images/mullvad-vpn-2.png)
@ -66,6 +66,6 @@ You can now use this ProxyVM as the net qube for other qubes!
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling. With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced. Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
![MirageOS](/images/mirageos.png) ![MirageOS](/images/mirageos.png)

View File

@ -0,0 +1,7 @@
---
title: Qubes OS
ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about Qubes OS and related applications

View File

@ -1,3 +0,0 @@
---
title: Providers
---

View File

@ -2,37 +2,37 @@
#F-Droid Security Analysis #F-Droid Security Analysis
echo "Fetching and Modifying the F-Droid Security Issues post" echo "Fetching and Modifying the F-Droid Security Issues post"
rm -rf './content/apps/F-Droid Security Issues.md' rm -rf './content/posts/android/F-Droid Security Issues.md'
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/fdroid-issues.md -o './content/apps/F-Droid Security Issues.md' curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/fdroid-issues.md -o './content/posts/android/F-Droid Security Issues.md'
sed -i 's/title:.*/title: "F-Droid Security Issues"/' './content/apps/F-Droid Security Issues.md' sed -i 's/title:.*/title: "F-Droid Security Issues"/' './content/posts/android/F-Droid Security Issues.md'
sed -i '/draft:.*/d' './content/apps/F-Droid Security Issues.md' sed -i '/draft:.*/d' './content/posts/android/F-Droid Security Issues.md'
sed -i "s/tags:.*/tags: ['Applications', 'Android', 'Security']/" './content/apps/F-Droid Security Issues.md' sed -i "s/tags:.*/tags: ['Applications', 'Android', 'Security']/" './content/posts/android/F-Droid Security Issues.md'
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/F-Droid Security Issues.md' sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/android/F-Droid Security Issues.md'
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/fdroid-issues' './content/apps/F-Droid Security Issues.md' sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/fdroid-issues' './content/posts/android/F-Droid Security Issues.md'
sed -i '/^tags:.*/a author: Wonderfall' './content/apps/F-Droid Security Issues.md' sed -i '/^tags:.*/a author: Wonderfall' './content/posts/android/F-Droid Security Issues.md'
#Docker and OCI Hardening #Docker and OCI Hardening
echo "Fetching and Modifying the Docker and OCI Hardening post" echo "Fetching and Modifying the Docker and OCI Hardening post"
rm -rf './content/apps/Docker and OCI Hardening.md' rm -rf './content/posts/linux/Docker and OCI Hardening.md'
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/apps/Docker and OCI Hardening.md' curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/docker-hardening.md -o './content/posts/linux/Docker and OCI Hardening.md'
sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/apps/Docker and OCI Hardening.md' sed -i 's/title:.*/title: "Docker and OCI Hardening"/' './content/posts/linux/Docker and OCI Hardening.md'
sed -i '/draft:.*/d' './content/apps/Docker and OCI Hardening.md' sed -i '/draft:.*/d' './content/posts/linux/Docker and OCI Hardening.md'
sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/apps/Docker and OCI Hardening.md' sed -i "s/tags:.*/tags: ['Applications', 'Linux', 'Container', 'Security']/" './content/posts/linux/Docker and OCI Hardening.md'
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/apps/Docker and OCI Hardening.md' sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Docker and OCI Hardening.md'
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/apps/Docker and OCI Hardening.md' sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/docker-hardening/' './content/posts/linux/Docker and OCI Hardening.md'
sed -i '/^tags:.*/a author: Wonderfall' './content/apps/Docker and OCI Hardening.md' sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Docker and OCI Hardening.md'
#Securing OpenSSH with FIDO2 #Securing OpenSSH with FIDO2
echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post" echo "Fetching and Modifying the OpenSSH with FIDO2 Hardening post"
rm -rf './content/os/Securing OpenSSH with FIDO2.md' rm -rf './content/os/Securing OpenSSH with FIDO2.md'
curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/os/Securing OpenSSH with FIDO2.md' curl https://raw.githubusercontent.com/Wonderfall/wonderfall.github.io/main/content/posts/openssh-fido2.md -o './content/posts/linux/Securing OpenSSH with FIDO2.md'
sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/os/Securing OpenSSH with FIDO2.md' sed -i 's/title:.*/title: "Securing OpenSSH with FIDO2"/' './content/posts/linux/Securing OpenSSH with FIDO2.md'
sed -i '/draft:.*/d' './content/os/Securing OpenSSH with FIDO2.md' sed -i '/draft:.*/d' './content/posts/linux/Securing OpenSSH with FIDO2.md'
sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/os/Securing OpenSSH with FIDO2.md' sed -i "s/tags:.*/tags: ['Operating Systems', 'Linux', 'Security']/" './content/posts/linux/Securing OpenSSH with FIDO2.md'
sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/os/Securing OpenSSH with FIDO2.md' sed -i '/^tags:.*/a ShowCanonicalLink: true' './content/posts/linux/Securing OpenSSH with FIDO2.md'
sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/os/Securing OpenSSH with FIDO2.md' sed -i '/^tags:.*/a canonicalURL: https://wonderfall.dev/openssh-fido2/' './content/posts/linux/Securing OpenSSH with FIDO2.md'
sed -i '/^tags:.*/a author: Wonderfall' './content/os/Securing OpenSSH with FIDO2.md' sed -i '/^tags:.*/a author: Wonderfall' './content/posts/linux/Securing OpenSSH with FIDO2.md'
# Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown. # Blogs by Rohan Kumar (a.k.a Seirdy) currently need to be manually ported, as he uses a lot of HTML inside of the source instead of just markdown.
# His GitHub repo: https://github.com/Seirdy/seirdy.one # His GitHub repo: https://github.com/Seirdy/seirdy.one

View File

@ -12,19 +12,19 @@
Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://tommytran732.report-uri.com/a/d/g"}],"include_subdomains":true} Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://tommytran732.report-uri.com/a/d/g"}],"include_subdomains":true}
NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true} NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true}
/knowledge/multi-factor-authentication/ /posts/knowledge/multi-factor-authentication/
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
/os/android-tips/ /posts/os/android-tips/
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
/os/choosing-your-android-based-operating-system/ /posts/os/choosing-your-android-based-operating-system/
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
/os/choosing-your-desktop-linux-distribution/ /posts/os/choosing-your-desktop-linux-distribution/
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
/os/desktop-linux-hardening/ /posts/os/desktop-linux-hardening/
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'
/*.xml /*.xml

View File

@ -1,3 +1,26 @@
/f-droid* /apps/f-droid-security-issues/ 301 /os/android-tips/ /posts/android/android-tips/ 301
/banking* /apps/banking-applications-compatibility-with-grapheneos/ 301 /os/android-vpn-leakage* /posts/android/android-vpn-leakage-with-secondary-user-profiles/ 301
/apps/banking* /apps/banking-applications-compatibility-with-grapheneos/ 301 /apps/banking* /posts/android/banking-applications-compatibility-with-grapheneos/ 301
/os/choosing-your-android* /posts/android/choosing-your-android-based-operating-system/ 301
/apps/f-droid* /posts/android/f-droid-security-issues/ 301
/knowledge/badness-enumeration/ /posts/knowledge/badness-enumeration/ 301
/knowledge/commercial-vpn-use-cases/ /posts/proxies/commercial-vpn-use-cases/ 301
/knowledge/floss-security/ /posts/knowledge/floss-security/ 301
/knowledge/multi-factor-authentication/ /posts/knowledge/multi-factor-authentication/ 301
/knowledge/threat-modeling/ /posts/kmowledge/threat-modeling/ 301
/os/choosing-your-desktop-linux* /posts/linux/choosing-your-desktop-linux-distribution/ 301
/os/desktop-linux-hardening* /posts/linux/desktop-linux-hardening/ 301
/apps/docker* /posts/linux/docker-and-oci-hardening/ 301
/os/linux-insecurities* /posts/linux/linux-insecurities/ 301
/os/networkmanager* /posts/linux/networkmanager-trackability-reduction/ 301
/apps/protonvpn-ip* /posts/linux/protonvpn-ip-leakage-on-linux-and-workaround/ 301
/os/securing-openssh-with-fido2* /posts/linux/securing-openssh-with-fido2/ 301
/apps/update-your-signal* /posts/proxies/update-your-signal-tls-proxy/ 301
/os/firewalling-with-mirageos* /posts/qubes/firewalling-with-mirageos-on-qubes-os/ 301
/apps/using-lokinet-on-qubes-os* /posts/qubes/using-lokinet-on-qubes-os/ 301
/apps/using-mullvad-vpn-on-qube* /posts/qubes/using-mullvad-vpn-on-qubes-os/ 301
/os/using-split-gpg-and-split-ssh* /posts/qubes/using-split-gpg-and-split-ssh-on-qubes-os/ 301

BIN
static/images/ivpn-1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 78 KiB