To enable / disable at kernel boot time, place the options on the kernel CMDLINE in /etc/default/grub and then 'update-grub2':
apparmor=1 selinux=1 audit=1
Appropriate packages may need to be in place.
- AppArmor: How To Use
To enable / disable at kernel boot time, place the options on the kernel CMDLINE in /etc/default/grub and then 'update-grub2':
apparmor=1 selinux=1 audit=1
Appropriate packages may need to be in place.
The more you try to hide, the more attention you attract. -- Anon - the movie
Anonymizing one's self is difficult. Technology companies are coming up with surprising ways to bypass the cloak of 'leave me alone' we attempt to wrap around ourselves. From a news group, here is an interesting mechanism describing the continuing escalation:
The statement of purpose:
To augment what many already have said here - it's a tie between IP address and household address and name/surname that should not be public, the address itself is mostly harmless and it doesn't matter if it's static or dynamic. Tracing gets done on L7 and above anyway
The statement of bypass:
In the current state of the web, if a user gets a new address, the various web surveillance mechanisms will associate it with the previous user identity and context after maybe a dozen web queries or two. That gets better if the user has a strong defensive posture, blocks web trackers, etc. But it just takes one cookie, or one login, or some other inference, and poof, the surveillance databases know that new_address_X is the same user as old_address_Y.
The case of the household is even worse. It takes only one cookie, login, etc, and the surveillance databases will learn that new_prefix_P is the same household as old_prefix_Q. Even you run Ghostery or Privacy Badger or the latest release of Firefox, you won't escape if you share a prefix with someone in your household who doesn't. Or with one of those surveillance devices that masquerade as thermostats or light switches or voice assistants.
So that's pretty bleak. If you want defense, you probably want to allocate different /64 prefixes to different devices, and change them really often. You may not need to change them for every devices -- no point providing privacy to the surveillance thermostat. But for your laptop, your tablet or your phone, they to change before the surveillance advertisers see you access a dozen web pages or two.
-- Christian Huitema
To help the discussion of how matching identifying information can be quite easy, take the following tests with your browser:
Background info on browser fingerprinting and tracking:
To finish things off, another quote from Anon - the movie:
It is not that I have something to hide, it is that I have nothing I want you to see
I am looking to build a small console based password manager. I started looking at this when RoboForm stopped being able to work in a Firefox browser with a local password file. They now force passwords to their cloud platform. Uck.
Bottom line, I need to encrypt sites, names, and passwords into a small files which I can rsync amongst devices until I can build in a sync'ing process. I would like to be able to do this between Linux, Mac, Windows, and Android.
I started by doing a test program with crypto++, as it seemed to be a lightweight library which could easily be adapted for use on the Android.
Further research indicates that switching to libsodium might be worthwhile. Documentation seems to be better, and it explicitly supports Android, and it interestingly discusses the drawbacks of using GCM-AES, and instead suggests using ChaCha20-Poly1305 for Authenticated Encryption.
Something to go along with is being able to use the SSH agent for nonce signing. Information is available in SSH Agent Protocol or draft-miller-ssh-agent-02. With a bit of an example at How to use the ssh-agent programmatically for RSA signing .
More coding to do.
In related reading, I came across:
Beginnings of a console based password manager.
blocklist_net_ua from firehol
I have been doing this for a while, but now have found that ipset fit in very well here.
- Adding and removing ips from a set is easier than fiddling with iptables syntax.
- The timeout feature comes in very handy.
- Basically the iptables rules can be static.
RIPE: blocking by country
Do these first thing in mangle:
- PREROUTING; in short, drop traffic you already know you don't want as early as possible in netfilter; waste not one extra CPU cycle processing such packets.
- DROP all INVALID packets; netfilter doesn't know why they arrived nor where they should go, so just drop them.
- Determine countries you *never* want to exchange traffic with and DROP packets to and from those IPs. But be aware. Sometimes apparently legitimate sites (like alibaba and linux-questions) will be blocked.
- I made a simple mod for Smoothwall Express that automates block sets; it can probably be easily adapted for general netfilter use. It uses the Exploited Servers, Chinese, Nigerian, Russian and LACNIC lists from wizcrafts. The sets are auto-updated daily. I had also used the 90-day list from openbl for a while. The problem with some of these blocklists is that they occasionally get *too* zealous and block legitimate sites. So I added admin whitelisting capability. And then added admin blocklist capability for completeness. The set of blocklists to be used is configurable. It's fairly easy to add parsers for other list formats.
- GAR is another Smoothwall Express mod, but is closely tied to Smoothwall; I mention it because I think it does almost exactly what you want. It watches snort/suricata alerts and drops packets for a period of time to and from any IP that causes an alert. Theory: if you see someone outside your home checking the locks on your windows, will you let him in your front door if he knocks? Of course not. So if a host (IP addr) probes your network for services that don't exist (such as SQL, ftpd, telnetd), or tries a known exploit, don't let any packets go to or from that IP for some specified period of time.
- DROP all traffic to and from TEST NET addresses and other address blocks that should never be routed.
- DROP all internet-side traffic to and from private addresses unless you know that there are some private LANs between you and the actual internet.
>>> Of course this is mostly moot with the rise of SSDs, which, >>> as others have pointed out, >>> are hard to erase with any certainty. >> You guys all seem to be ignoring Secure Erase. Any particular reason? >> Secure Erase Certified Intel SSD> Only available on some high-end Intel SSD's, and the software to talk to the drive to trigger it is available only on Windows. It does appear to be based on a standard ATA (but not SCSI) command, so others could implement the command (in the hardware) or access to the command (in the software).
Actually no, most SSDs sold since the late 2000s have supported the feature set, and on Linux the hdparm command has supported it since 2005.
kcptun: wan accelerator, congestion handler, ...
Some sites will generate queries to other domains for tracking purposes of various sorts. These queries tend to slow down the browser experience: a) the dns lookup itself takes time, then b) the round trip time to perform whatever nefarious action takes time.
To prevent some of these 'unneeded' or 'un-necessary' queries, it is possible to block them with a tool called pi-hole. It bills itself as "a black hole for internet advertisements".
It does indeed help speed up the browser experience.
The installation is relatively painless. I use a local package proxy using apt-cacher-ng, so I am recording my use of the changed sources list file, so I can remember it next time. In addition, the script doesn't seem to correctly configure php, so it fails once. I do a dummy install command with dnsmasq to get settings updated. Then run the script again, and it runs to completion.
sed -i 's_//deb_//<ip address>:3142/deb_' /etc/apt/sources.list sed -i 's_//sec_//<ip address>:3142/sec_' /etc/apt/sources.list cat /etc/apt/sources.list apt update apt install curl curl -sSL https://install.pi-hole.net | bash apt install dnsmasq curl -sSL https://install.pi-hole.net | bash
The end result is some text supplying a url for the administration interface, a password and a command to change the password:
pihole -a -p
A web page with Block Lists for Pi-Hole: CryptoAUSTRALIA's Favourite Block Lists
2018/01/09: Ad and tracking blocking dnsmasq-ready blocklists: (github.com)
2018/08/17 Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".
http://smtptrapd.sourceforge.net/
A document of suggestions to help make email more secure:
Email security and anti-spoofing
Talks about TLS, DKIM, DMARC and SPF with a few barebone configuration examples.
Sometime back, the maintainer of kde-agent removed the package. As a work around for providing a solution to ssh-agent for all session terminals, I lift the following solution from ArchLinux: ssh-agent support removed from kde-agent and ArchLinux: ssh keys:
In ~/.config/systemd/user/ssh-agent.service, put the following code:
[Unit] Description=SSH key agent [Service] Type=forking Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK [Install] WantedBy=default.target
Append to ~/.bashrc:
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
Enable the service with:
systemctl --user enable ssh-agent
And start with:
systemctl --user start ssh-agent
I am looking for Linux based business security solutions. My 'want list' includes video surveillance, video monitoring, video recording, and door access controls.
From the video side of things, I have come across the following:
Some features I am looking at:
Cameras:
Open source proximity / HID solutions:
RFID Reader http based hardware. more of the same
But now I am getting into integrating more functionality into the infrastructure such as audio and video distribution. So some open source sites to go along with that:
2017/08/07 while on the subject of electronics, I am looking at controlling lights in a bar area with DMX. It is a 512 channel protocol running over RS-485. I saw some DIN rail mounted boxes with multiple RS-485 interfaces. I'm wondering if Linux Kernel RS-485 code is fast enough to drive these interfaces at DMX refresh rates. Erwin Rol has a brief intro to the RS-485 signalling standard. Otherwise the Open Lighting Project has references to many different projects which support dedicated DMX hardware.
An open letter to security researchers and practitioners:
We need you to take a stand to protect security researchers who report defects in browsers, before it's too late.
Earlier this month, the World Wide Web Consortium's Encrypted Media Extensions (EME) spec progressed to Draft Recommendation phase. This is a controversial standard for transmitting DRM-encumbered videos, and it marks the very first time that the W3C has attempted to standardize a DRM system.
This means that for the first time, W3C standards for browsers will fall under laws like the DMCA (and its international equivalents, which the US Trade Representative has spread all over the world). These laws allow companies to threaten security researchers who disclose vulnerabilities in DRM systems, on the grounds that these disclosures make it easier to figure out how to bypass the DRM.
Last summer, the Copyright Office heard from security researchers about the effect that DRM has on their work; those filings detail showstopper bugs in consumer devices, cars, agricultural equipment, medical implants, and voting machines that researchers felt they couldn't readily publish about, lest they face punitive lawsuits from the companies they embarrassed.
EFF has asked the W3C to take a minimal step to insulate their stakeholders from the legal fallout from the inclusion of DRM in their standards. Our proposal asks the W3C to bind its members to legal promises not to use the DMCA or laws like it against security researchers or implementers.
w3c-eme-and-eff-frequently-asked-questions
So far, the W3C executive has failed to act on this proposal, despite diverse support from a number of W3C members.
We are hosting an open letter from security, privacy and technology experts to the W3C's director, Tim Berners-Lee; and its CEO, Jeff Jaffe, asking them to make any further work on EME contingent on adopting rules to protect the open web from these bad laws.
security-researchers-tell-w3c-protect-researchers-who-investigate-browsers
Will you sign this letter? Some of security's leading lights have already put their names to it. We can't afford to make widely used tools like browsers off-limits to security research and disclosure, especially not as HTML5 is being positioned as a UI environment to replace apps as the primary way of interacting with sensors, actuators, embedded systems and the whole Internet of Things.
If you're willing to sign on, please send an email to cory@eff.org with your country of residence and your institutional affiliation (if any).
Thank you,
Cory Doctorow, Apollo 1201 Project, Electronic Frontier Foundation
Various crypto attacks have come to light. BetterCrypto talks of the LogJam Attack (a Diffie-Hellman weakness exploit) and how to mitigate its issues. The site also has a Applied Crypto Hardening document, which is over 100 pages long, for how to how to harden common crypto-utilizing systems.
The post lead to look at crypto devices for carrying around private keys and performing two factor authentication for Linux. One site I came across was performs his initial trials of Linux based smartcards.
Coming at the problem from a different direction, I came across someone using a Programming the FST-01 (gnuk) with a Bus Pirate + OpenOCD. This article is about getting gnuk devices to work with the Debian releases. The interesting twist here is that the author wanted to actually customize the devices. I didn't think this was possible. But the article talks about using a programmer which uses SWD support to get down and dirty with the hardware. OpenOCD, which is the short form for Open On Chip Debugging, forms a primary role in the article.
On Chip Debugging opens up a whole new avenue of exploration for Embedded Systems Desgn. The Bus Pirate, mentioned above, can be found at Dangerous Prototypes
As part of some embedded solutions I am looking at, I picked up a few NVIDIA Jetson TK1 devices. It is cool that Christian's Blog talks about Debugging the Linux kernel via JTAG on the NVIDIA Jetson TK1 / Jetson Pro DevKit where JTAG is a very common mechanism for On Chip Debugging and testing.
Going a little further afield, I came across sigrok which is a project aiming at "creating a portable, cross-platform, Free/Libre/Open-Source signal analysis software suite that supports various device types (e.g. logic analyzers, oscilloscopes, and many more)." Rigol seemed to be a manufacturer of respected, compatible devices.
Even further afield, not crypto related, but something interesting, I came across an interesting DSP based solution with the TMS320F28016 development board which is "known to be the world's lowest cost 32-bit Real Time Microcontroller (DSP) with a build in CAN".
While on the subject of crypto, here is something on how to Secure Secure Shell (SSH). SSH has the capability of using many different crypto combinations. The default may not necessarily be the best. This describes the more secure combinations and how to use them.
While on the subject of hardening, a site describing Hardening your HTTP response headers. Mostly, IIS, but some nginx and a tiny bit apache.
A friend, many moons ago, suggested RoboForm as a password manager he uses for password management. Looks good to me. Is multi-platform, and has a number of modes of operation. Passwords can be uploaded to an account on RoboForm's servers, or they can be stored locally. I have chosen the 'local' mechanism, but use their GoodSync tool for syncing among various machines. It may be possible to create a server based GoodSync mechanism for my own environment as well. Continue reading "Installing RoboForm and GoodSync on Linux and..." »
I have a public/private key pair generated from putty, and at the moment, no Windows machine on which to convert to a corresponding OpenSSH key pair.
To the rescue on a Debian Jessie system:
More and more companies are tracking personal habits of those who browse the web. It doesn't matter if you are shopping or not. 'They' know where you've been and what you like. Google is probably a large offender.
I've lost the reference, but for those who frequent Facebook, I heard that if you have marked over one hundred likes, marketer's have you pegged quite closely. It is said they know more about you than possibly your close family members.
And amongst all this tracking, much of it is done with some combination of cookies and scripts: cookies to track you, and scripts to present you with stuff you probably don't want to see.
If you want some modicum of control over what others see of your browsing habits, and if you are a FireFox user, there are some interesting add-ons, add-ons which are popular, well written, and worthy of evaluation.
The above three resources are described at Firefox uses too many CPU resources - How to fix along with a number of other interesting how-to's for improving the web browsing experience.
January '25 | ||||||
---|---|---|---|---|---|---|
Mo | Tu | We | Th | Fr | Sa | Su |
Friday, January 24. 2025 | ||||||
1 | 2 | 3 | 4 | 5 | ||
6 | 7 | 8 | 9 | 10 | 11 | 12 |
13 | 14 | 15 | 16 | 17 | 18 | 19 |
20 | 21 | 22 | 23 | 24 | 25 | 26 |
27 | 28 | 29 | 30 | 31 |