This website does not serve any adverts, tracking cookies or other internet annoyances.
Saturday 11th May 2019
Earlier this year, I was interviewed by Giulio D'Agostino for his new book and podcast 'Conversations in Cyberspace'. My podcast episode has now been released - if you'd like to listen, it is available on Anchor.fm, and various other platforms:
During the interview, I was asked about multiple topics including reverse engineering, Tor Onion v3 services, Linux and the browser extension ecosystem. I hope you enjoy, and thank you again to Giulio for having me on the show!
Please note that I have no commercial affiliation with Giulio or any of his projects. Continue reading...
Tuesday 23rd April 2019
One of the largest challenges with infrastructure deployment and automation is managing and verifying the SSH server key fingerprints for your servers and devices. Each new server will have its own unique SSH fingerprint that needs to be verified and accepted before your devices (e.g. Ansible control machine, log collector) can securely connect via SSH.
Often, verifying and distributing the fingerprints is a manual process, involving connecting to machines to check and accept the fingerprint, or manually copying lines to your
~/.ssh/known_hosts file. In some cases, people also unfortunately bypass the warnings and accept the fingerprint without checking it, which fundamentally breaks the security model of SSH host authenticity checking.
I have recently solved all of these challenges by implementing a new solution for managing my saved SSH server key fingerprints (known_hosts). I'm storing a verified copy of each fingerprint centrally in a public Git repository, and I can then pull from the repository on all of my machines/devices whenever the key changes. This allows me to securely and semi-automatically distribute the fingerprints with minimal manual work required. Continue reading...
Thursday 21st March 2019
I recently decided to switch back to using my Meizu MX4 Ubuntu Edition that I originally purchased in 2015 (which is what the first article on this blog was about).
Unfortunately, Canonical decided to end development of Ubuntu Touch due to a lack of market interest, but luckily the UBports community took over development, and are running the project successfully to this day as the (soon to be at the time of writing) UBports Foundation. Continue reading...
Tuesday 26th February 2019
I recently re-deployed my entire infrastructure onto two new servers using Ansible, and as part of this I wanted to remove all stored secrets from my public-facing web servers.
Let's Encrypt certificates were no problem as they are generated on the server and can be easily replaced if needed, and I removed the need for an SSH private key for Git by just using the public repo over HTTPS.
The only secrets that posed a challenge were my Tor Hidden Service private keys, both for Onion v3 and the historic Onion v2. The impact of one of these keys breaching would be very high, since the associated hostnames are already widely known and indexed. Because of this, it would absolutely not be appropriate to store them in my Ansible playbooks Git repository, nor would it be ideal to store them locally on my Ansible control machine.
One option would be to manually upload them whenever I deployed a new server, however this goes against the complete automation that I am achieving with Ansible. Instead, I decided to not run Tor on my public web server fleet at all, and instead host the Hidden Services elsewhere, with traffic forwarded to the web server fleet securely over the internet with an Apache reverse HTTP proxy. Continue reading...