May 15, 2023 @11:00
Quite some time ago I moved all my multifactor authentication tokens into
my preferred password manager, zx2c4's pass.
As a command line utility, it is extremely powerful but to manage one-time
passwords you need to provide the URL for the secret, this is usually in the
otpauth://totp/Label?secret=[BASE32 ENCODED SECRET] and is what is
encoded in those fancy QR codes that most websites produce. Most websites
will give you the secret directly if you ask, generally by pressing a button
under the QR code but Etsy does not so I went to figure out a quick way to
get the secret from the QR code.
More (53%) …
April 12, 2022 @14:20
I believe in a zero trust defense in depth approach to security.
Every network segment has a firewall (mostly OpenBSD) that controls
ingress and egress traffic and every machine that can also runs a
local firewall that further limits ingress (and in some cases
egress) traffic. This makes everything for an attacker harder.
It limits lateral movement, complicates data exfiltration, and
in some cases foils entire classes of attacks.
More (10%) …
March 19, 2022 @14:34
I think a lot about digital privacy and security. It is a subject that I care
quite a lot about it and I am continually trying to optimize my posture in the
ever changing landscape. A recent batch of phishing probes sent by IT
security at $DAY_JOB got me thinking about the role of e-mail accounts in a
person's over-all digital security posture. Even though e-mail is being used
less and less for personal correspondence it is still the backbone of most
online identity, either as the authentication identity itself or as the primary
method (perhaps along side SMS or TOTP) for account recovery and and password
reset. This makes it a particularly important vector and lots of account
compromise and takeover attacks start with e-mail. It is also the primary
method people get tricked into giving away their credentials in phishing
attacks, opening it as a popular attack vector.
More (9%) …
February 25, 2020 @17:34
So DNS over HTTPS is coming
to Firefox. For most people this is certainly a good thing. When I worked
for a national ISP in around 2008 they started snooping DNS queries and sending
them off to various ad networks and inserted those stupid advertising laden
search pages into user's sessions instead of returning the correct and proper
NXDOMAIN response when you mistyped a URL. There were executives which were
very pleased with this extra revenue stream and got large bonuses as a result.
This was over a decade ago so I can only imagine how this has gotten worse.
DNS over HTTPS (and also DNS over TLS) makes this impossible, which is good.
More (22%) …
September 03, 2019 @21:48
Every now and then I decide to throw one of Apple's betas on one of my devices.
This time I've been running the iPadOS beta
on my iPad Air Generation 3 since the public preview started for 13.0. I like
a lot of the features (ok, mostly dark mode) but as is the case with most of
the betas there have been a few bumps along the way. The most notable is the
behavior of the Home Control privacy setting that I noted back in the
iOS 11.0 and
iOS 11.2 releases.
More (35%) …
January 28, 2019 @21:01
Why are you a green bubble?
People often ask me why I have so much of the features of my phones
turned off. My iPhone has iCloud, Siri, FaceTime and iMessage all
firmly disabled and have since I originally setup the phone, my Mac has
never signed into iCloud, and my Android phone has just about everything
including Google Play Services disabled. My personal philosophy is that
if it doesn't provide me with value, I disable it.
More (47%) …
Original: October 31, 2018 @21:50
Edited: August 15, 2019 @21:00
I have been looking for reasons to try Docker on
one of the random stack of un-used Raspberry Pis
that I have laying around and thought it might be fun to build a little
travel router. Somehow that morphed into lets get
Tor working on here and then well if I can
get a client, and a relay, why not an onion service?
More (4%) …