Musings of a Mildly Misanthropic Technologist.

Quite some time ago I moved all my multifactor authentication tokens into my preferred password manager, zx2c4's pass. As a command line utility, it is extremely powerful but to manage one-time passwords you need to provide the URL for the secret, this is usually in the form of otpauth://totp/Label?secret=[BASE32 ENCODED SECRET] and is what is encoded in those fancy QR codes that most websites produce. Most websites will give you the secret directly if you ask, generally by pressing a button under the QR code but Etsy does not so I went to figure out a quick way to get the secret from the QR code.

More (53%) …

I believe in a zero trust defense in depth approach to security. Every network segment has a firewall (mostly OpenBSD) that controls ingress and egress traffic and every machine that can also runs a local firewall that further limits ingress (and in some cases egress) traffic. This makes everything for an attacker harder. It limits lateral movement, complicates data exfiltration, and in some cases foils entire classes of attacks.

More (10%) …

I think a lot about digital privacy and security. It is a subject that I care quite a lot about it and I am continually trying to optimize my posture in the ever changing landscape. A recent batch of phishing probes sent by IT security at $DAY_JOB got me thinking about the role of e-mail accounts in a person's over-all digital security posture. Even though e-mail is being used less and less for personal correspondence it is still the backbone of most online identity, either as the authentication identity itself or as the primary method (perhaps along side SMS or TOTP) for account recovery and and password reset. This makes it a particularly important vector and lots of account compromise and takeover attacks start with e-mail. It is also the primary method people get tricked into giving away their credentials in phishing attacks, opening it as a popular attack vector.

More (9%) …

So DNS over HTTPS is coming to Firefox. For most people this is certainly a good thing. When I worked for a national ISP in around 2008 they started snooping DNS queries and sending them off to various ad networks and inserted those stupid advertising laden search pages into user's sessions instead of returning the correct and proper NXDOMAIN response when you mistyped a URL. There were executives which were very pleased with this extra revenue stream and got large bonuses as a result. This was over a decade ago so I can only imagine how this has gotten worse. DNS over HTTPS (and also DNS over TLS) makes this impossible, which is good.

More (22%) …

Every now and then I decide to throw one of Apple's betas on one of my devices. This time I've been running the iPadOS beta on my iPad Air Generation 3 since the public preview started for 13.0. I like a lot of the features (ok, mostly dark mode) but as is the case with most of the betas there have been a few bumps along the way. The most notable is the behavior of the Home Control privacy setting that I noted back in the iOS 11.0 and iOS 11.2 releases.

More (35%) …

Why are you a green bubble?

People often ask me why I have so much of the features of my phones turned off. My iPhone has iCloud, Siri, FaceTime and iMessage all firmly disabled and have since I originally setup the phone, my Mac has never signed into iCloud, and my Android phone has just about everything including Google Play Services disabled. My personal philosophy is that if it doesn't provide me with value, I disable it.

More (47%) …

Getting Started

I have been looking for reasons to try Docker on one of the random stack of un-used Raspberry Pis that I have laying around and thought it might be fun to build a little travel router. Somehow that morphed into lets get Tor working on here and then well if I can get a client, and a relay, why not an onion service?

More (4%) …