diff options
Diffstat (limited to 'content')
| -rw-r--r-- | content/articles/about.md | 42 | ||||
| -rw-r--r-- | content/articles/site-backend.md | 137 | ||||
| -rw-r--r-- | content/posts/2006-03-19-openvpn-article-in-linux-magazine.html | 15 | ||||
| -rw-r--r-- | content/posts/2023-05-02-bookworm-and-podman.md | 2 | ||||
| -rw-r--r-- | content/posts/2023-12-02-firefox-redux.md | 21 | ||||
| -rw-r--r-- | content/posts/2025-05-18-onion-service-mirror.md | 27 | ||||
| -rw-r--r-- | content/posts/2025-05-18-trying-tails.md | 49 | ||||
| -rw-r--r-- | content/posts/2025-06-07-uninstall-facebook.md | 132 | ||||
| -rw-r--r-- | content/posts/2025-06-08-armbian-on-odroid-n2l.md | 145 | ||||
| -rw-r--r-- | content/posts/2025-06-08-nginx-caching-and-security-headers.md | 27 | ||||
| -rw-r--r-- | content/posts/2025-06-08-old-openvpn-article.md | 36 | ||||
| -rw-r--r-- | content/posts/2025-10-04-polycvss-v0.2.0.md | 143 | ||||
| -rw-r--r-- | content/projects/polycvss.md | 10 |
13 files changed, 757 insertions, 29 deletions
diff --git a/content/articles/about.md b/content/articles/about.md index af9053d..f682d49 100644 --- a/content/articles/about.md +++ b/content/articles/about.md @@ -89,8 +89,9 @@ I enjoy reading about math, programming, computer security, and science, writing [Open Source software][oss], tinkering with electronics, [3D printing][], and creating electronic music. -In my spare time I run a couple of servers which provide web and email -hosting for friends and family. +I have been an avid Linux user since the 1990s. In my spare time +I run a couple of servers which provide web and email hosting for +friends and family. ## About This Site @@ -98,30 +99,35 @@ This has been my web site since 1998. The site name is a combination of "pablo" (my nickname) and "tron" (technical). I typically post project updates, longer articles, and links that I find -interesting. +interesting. I put a considerable amount of effort into keeping this +site fast, secure, and responsive. + +This site is and will always be free of advertisements and trackers. More about this site: - [Archived Posts][]: Older blog posts, grouped by year. -- [Site Backend][]: Description of the technology behind this site. +- [Site Backend][]: Explanation of the technology behind this site. +- [Onion Service][pabstor]: Site mirror, only accessible via [Tor][]. ## Links -* [GitHub][github-me]: My [GitHub][] page. -* [Keybase][keybase-me]: My [Keybase][] page. -* [Mastodon][mastodon-me]: My [Mastodon][] page (currently empty). -* [PGP Key][pgp-key]: My [PGP][] key. +- [GitHub][github-me]: My [GitHub][] page. +- [Keybase][keybase-me]: My [Keybase][] page. +- [Mastodon][mastodon-me]: My [Mastodon][] page (mostly empty). +- [PGP Key][pgp-key]: My current [PGP][] key. Fingerprint: + [021136521548EB198F64FF738E182534CDD1F2B8][pgp-key-keys-openpgp-org]. ## Old Sites Archives of this site and my other sites are available via the [Wayback Machine][] at the following URLs: -* [Pre-1999 Site (archive)][ia-efn]: My personal site before 1999. Try +- [Pre-1999 Site (archive)][ia-efn]: My personal site before 1999. Try not to giggle (too much). -* [paulduncan.org (archive)][ia-pdo]: My personal site from 2003 until - 2017. -* [pablotron.org (archive)][ia-pto]: Technical content from 1998 until +- [paulduncan.org (archive)][ia-pdo]: My non-technical personal site + from 2003 until 2017. +- [pablotron.org (archive)][ia-pto]: Technical content from 1998 until now. [oss]: https://en.wikipedia.org/wiki/Open-source_software @@ -135,7 +141,7 @@ Machine][] at the following URLs: [ia-efn]: https://web.archive.org/web/*/http://efn.org/~p_duncan/ "My personal site before 1999." [ia-pdo]: https://web.archive.org/web/*/https://paulduncan.org/ - "My personal site from 2003 until 2017." + "My non-technical personal site from 2003 until 2017." [ia-pto]: https://web.archive.org/web/*/https://pablotron.org/ "My personal and technical site from 1998 until the present." [php]: https://php.net/ @@ -168,3 +174,13 @@ Machine][] at the following URLs: "Archived Posts" [site backend]: {{< relref "articles/site-backend.md" >}} "Site Backend" +[pabstor]: http://pabstordmsrzhushs5drpb5mtb2ml56iyacidsjfebl2jlss65rlbsqd.onion + "Onion service URL for this site." +[onion service]: https://community.torproject.org/onion-services/ + "Service that can only be accessed via the Tor network." +[onion address]: https://en.wikipedia.org/wiki/.onion + "Top-level domain for onion services." +[tor]: https://torproject.org/ + "The Onion Router" +[pgp-key-keys-openpgp-org]: https://keys.openpgp.org/search?q=021136521548EB198F64FF738E182534CDD1F2B8 + "Entry for my PGP key on keys.openpgp.org." diff --git a/content/articles/site-backend.md b/content/articles/site-backend.md index 62f5947..e096e0d 100644 --- a/content/articles/site-backend.md +++ b/content/articles/site-backend.md @@ -132,6 +132,7 @@ Images are created as follows: Other notes: - The animated site logo is an [SVG][] generated by [this Ruby script][gen-logo.rb]. +- [Favicon][] is a 907 byte [PNG][] instead of a 4k [ICO][]. - Menubar icons are borrowed from [Bootstrap Icons][]. - I reviewed several [PNG][] compressors in [this post][post-png-compressors]. @@ -295,6 +296,9 @@ redirects removed: # POST needed for /hooks Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS" + # expose onion service + Header set "Onion-Location" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion%{REQUEST_URI}s" + # cache images, stylesheets, and javascript for 1 year <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$"> Header set Cache-Control "max-age=31536000, public" @@ -318,7 +322,12 @@ redirects removed: #### HTTP Compression -[HTTP compression][] is supported via [mod\_deflate][mod-deflate]. +[HTTP compression][] is supported via [mod\_deflate][mod-deflate]. The +list of [MIME types][] has been adjusted, like so: + +```apache +AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml +``` It is safe for this site to enable [mod\_deflate][mod-deflate] because it does not use [cookies][] and is not vulnerable to [BREACH][]. @@ -510,10 +519,6 @@ The generated [HTML][] has been modified to: "pass-environment-to-command": [{ "source": "string", - "envname": "DEPLOY_HTDOCS_PATH", - "name": "/data/www/pablotron.org/builds/current" - }, { - "source": "string", "envname": "DEPLOY_REPO_DIR", "name": "/data/www/pablotron.org/git" }, { @@ -537,6 +542,85 @@ The generated [HTML][] has been modified to: [Download][webhook.conf] +## Onion Service + +This site is mirrored on the [Tor network][tor] at the following [onion +address][.onion]: + +[http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/][pablotron.onion] + +**Note:** The [onion address][.onion] will only work for [Tor][]-enabled +browsers like [Tor Browser][]. + +Configuration Notes: + +- Vanity [.onion][] address generated with [mkp224o][]. +- Served with [Nginx][] instead of [Apache][], because [Nginx][] + can listen on a [domain socket][]. +- Public site sets [Onion-Location][] response header. Allows + [Tor Browser][] users to easily redirect to the [onion + address][.onion]. + +[Nginx][] configuration: + +```nginx +server { + listen unix:/var/run/tor/pablotron.sock; + server_name pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion; + root /store/www/pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/htdocs; + index index.html; + access_log /var/log/nginx/pablotron-access.log; + + # enable compression, compress common types + gzip on; + gzip_types text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml; + + # security headers (see comments in apache config) + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-Content-Type-Options" "nosniff"; + add_header "Cross-Origin-Opener-Policy" "same-origin"; + add_header "Cross-Origin-Resource-Policy" "same-origin"; + add_header "Access-Control-Allow-Origin" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion"; + add_header "Referrer-Policy" "strict-origin-when-cross-origin"; + add_header "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"; + + # different from apache; POST method not needed + add_header "Access-Control-Allow-Methods" "GET, HEAD, OPTIONS"; + + location ~ \.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$ { + # cache images, stylesheets, and javascript for 1 year + # note: caching makes a BIG difference when browsing via tor + expires 1y; + } + + location ~ \.svg$ { + # relax Content-Security-Policy for SVGs to allow + # `style-src-attr 'unsafe-inline'` + add_header "Content-Security-Policy" "default-src 'self'; img-src 'self'; style-src-attr 'self' 'unsafe-inline'"; + } + + location ^~ \.svg$ { + # default Content-Security-Policy + add_header "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"; + } +} +``` + +[Download][pablotron.onion.conf] + +[Tor][] configuration: + +```ini +HiddenServiceDir /var/lib/tor/pablotron/ +HiddenServicePort 80 unix:/var/run/tor/pablotron.sock +``` + +References: + +- [Set up Your Onion Service][onion-service-setup] +- [Vanity .onion addresses][vanity-onion-address] +- [Onion-Location][] + ## Validation I periodically use the following tools to verify this site: @@ -546,12 +630,14 @@ I periodically use the following tools to verify this site: - [Security Headers][securityheaders.com]: Check [HTTP][] security headers. - [SSL Labs SSL Test][ssl-labs-ssl-test]: Check [TLS][] configuration. +- [htmltest][]: Check for broken links and other common [HTML][] errors. +- [goaccess][]: Generate summary report of site statistics. I also manually check the site in the desktop and mobile versions of [Chrome][] and [Firefox][]. -I am investigated doing automated validation with [htmltest][], -[htmltidy][], and the [W3C validator][], but have not added them yet. +I am investigated doing automated validation with [htmltidy][], and the +[W3C validator][], but have not added them yet. ## Other @@ -595,6 +681,11 @@ published. black box. - 2025-01-30: Added [robots.txt][] info to [Other](#other). - 2025-03-31: Update wording to reflect the following changes: default to dark mode and remove [`prefers-color-scheme`][prefers-color-scheme] detection. +- 2025-04-26: Document [PNG][] [favicon][]. +- 2025-05-12: Document [htmltest][] and [goaccess][]. +- 2025-05-18: Add [Onion Service](#onion-service "Onion Service") section. +- 2025-06-07: Add caching and security headers to [nginx][] config in + [Onion Service](#onion-service "Onion Service") section. [s-hugo-configuration]: #hugo-configuration "Hugo Configuration" @@ -816,3 +907,35 @@ published. "Large Language Model" [minified]: https://en.wikipedia.org/wiki/Minification_(programming) "Minification (Wikipedia)" +[favicon]: https://en.wikipedia.org/wiki/Favicon + "favorite icon" +[ico]: https://en.wikipedia.org/wiki/ICO_(file_format) + "ICO icon file format (ICO)" +[goaccess]: https://goaccess.io/ + "Fast, real-time web log analyzer." +[tor]: https://torproject.org/ + "The Onion Router" +[onion service]: https://community.torproject.org/onion-services/ + "Service that can only be accessed via the Tor network." +[.onion]: https://en.wikipedia.org/wiki/.onion + "Top-level domain for onion services." +[pablotron.onion]: http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/ + "Onion service URL for this site." +[nginx]: https://en.wikipedia.org/wiki/Nginx + "NGINX web server." +[domain socket]: https://en.wikipedia.org/wiki/Unix_domain_socket + "Unix domain socket." +[tcp port]: https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports + "TCP port." +[pablotron.onion.conf]: /files/articles/site-backend/pablotron.onion.conf.txt + "Download Nginx configuration for onion address." +[mkp224o]: https://github.com/cathugger/mkp224o/ + "Vanity .onion address generator" +[onion-service-setup]: https://community.torproject.org/onion-services/setup/ + "Set up Your Onion Service" +[vanity-onion-address]: https://community.torproject.org/onion-services/advanced/vanity-addresses/ + "Vanity .onion address." +[onion-location]: https://community.torproject.org/onion-services/advanced/onion-location/ + "Onion-Location HTTP response header." +[tor browser]: https://en.wikipedia.org/wiki/Tor_(network)#Tor_Browser + "Tor browser." diff --git a/content/posts/2006-03-19-openvpn-article-in-linux-magazine.html b/content/posts/2006-03-19-openvpn-article-in-linux-magazine.html index 319dd7e..18026de 100644 --- a/content/posts/2006-03-19-openvpn-article-in-linux-magazine.html +++ b/content/posts/2006-03-19-openvpn-article-in-linux-magazine.html @@ -5,8 +5,21 @@ title: OpenVPN Article in Linux Magazine <p> On the off-chance you haven't heard about it yet, I wrote an article -on <a href='http://openvpn.net/'>OpenVPN</a> for <a href='http://www.linux-mag.com/'>Linux Magazine</a>. +on <a href='https://openvpn.net/' title='OpenVPN'>OpenVPN</a> for <a + href='https://web.archive.org/http://www.linux-mag.com/' + title='Linux Magazine' +>Linux Magazine</a>. It's in the April 2006 issue, which has already been mailed to subscribers and should be available at bookstores and on newsstands any day now. </p> +<p> +<b>Update (2025-06-08):</b> Hello from 19 years later! The +<a + href='https://web.archive.org/' + title='Wayback machine' +>Wayback Machine</a> has an archived copy of the 2006 article: <a + href='https://web.archive.org/web/20070812003116/http://www.linux-mag.com/id/2502' + title='Casting Your Net with OpenVPN' +>Casting Your Net with OpenVPN</a>. +</p> diff --git a/content/posts/2023-05-02-bookworm-and-podman.md b/content/posts/2023-05-02-bookworm-and-podman.md index 63b842d..485f03a 100644 --- a/content/posts/2023-05-02-bookworm-and-podman.md +++ b/content/posts/2023-05-02-bookworm-and-podman.md @@ -9,7 +9,7 @@ a great release. I've been looking for a suitable [Docker][] replacement for a few years because of [their repeated license shenanigans][license-shenanigans]. -Last year I tried switching to [Podman][], but ran into into several +Last year I tried switching to [Podman][], but ran into several incompatibilities and minor annoyances. [Podman 4.3][podman-4.3] ships with [Bookworm][] and seems to fix all diff --git a/content/posts/2023-12-02-firefox-redux.md b/content/posts/2023-12-02-firefox-redux.md index 28e51f9..75d78ef 100644 --- a/content/posts/2023-12-02-firefox-redux.md +++ b/content/posts/2023-12-02-firefox-redux.md @@ -21,10 +21,12 @@ Chrome to [Firefox][]. Thoughts so far... ### Firefox Cons -- No tab groups. ~~There are several tab management extensions, but none - are as elegant as tab groups.~~ (**Update:** [Tab Stash][] is a - passable alternative for me). -- Occasional [screen tearing][] on complex pages. +- ~~No tab groups. There are several tab management extensions, but none + are as elegant as tab groups.~~ **Update:** Firefox 136 added tab + groups. I also like the [Tab Stash][] extension. +- Occasional [screen tearing][] on complex pages. I think this is an + artifact of Firefox in [X11][], because it does not happen under + [Wayland][]. - Chrome has smoother scrolling. I also worry about [Mozilla][] as an organization; a substantial portion @@ -57,7 +59,10 @@ monopoly to an advertising company. interface, supports [uBlock Origin][]. I've used it for years on my phone and tablet. -**Update (2023-12-04):** Added note about [Tab Stash][]. +Updates: +- 2023-12-04: Added note about [Tab Stash][]. +- 2025-06-07: Added note about Tab Groups in Firefox 136 and clarify + that screen tearing only happens in [X11][]. [ublock origin]: https://en.wikipedia.org/wiki/UBlock_Origin "Free and open source browser extension for content filtering and ad blocking." @@ -104,5 +109,7 @@ monopoly to an advertising company. "Portable Document Format (PDF)" [tab stash]: https://addons.mozilla.org/en-US/firefox/addon/tab-stash/ "Tab Stash extension for Firefox" - - +[x11]: https://en.wikipedia.org/wiki/X_Window_System + "X Window System" +[wayland]: https://en.wikipedia.org/wiki/Wayland_(protocol) + "Wayland" diff --git a/content/posts/2025-05-18-onion-service-mirror.md b/content/posts/2025-05-18-onion-service-mirror.md new file mode 100644 index 0000000..13bfca6 --- /dev/null +++ b/content/posts/2025-05-18-onion-service-mirror.md @@ -0,0 +1,27 @@ +--- +slug: onion-service-mirror +title: "Tor Site Mirror" +date: "2025-05-18T09:44:21-04:00" +--- +This site is now mirrored on the [Tor network][] at the following +[onion address][]: + +[http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/][pablotron.onion] + +See [Site Backend - Onion Service][site-backend-onion-service] for more +details. + +**Update (2025-06-02):** New [vanity .onion address][]. + +[tor network]: https://torproject.org/ + "The Onion Router" +[pablotron.onion]: http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/ + "Site mirror onion address." +[site-backend-onion-service]: {{< relref "articles/site-backend" >}}#onion-service + "Site Backend, Onion Service" +[onion address]: https://en.wikipedia.org/wiki/.onion + "Top-level domain for onion services." +[mkp224o]: https://github.com/cathugger/mkp224o/ + "Vanity .onion address generator" +[vanity .onion address]: https://community.torproject.org/onion-services/advanced/vanity-addresses/ + "Vanity .onion address." diff --git a/content/posts/2025-05-18-trying-tails.md b/content/posts/2025-05-18-trying-tails.md new file mode 100644 index 0000000..aaee7ee --- /dev/null +++ b/content/posts/2025-05-18-trying-tails.md @@ -0,0 +1,49 @@ +--- +slug: trying-tails +title: "Trying Tails" +date: "2025-05-18T09:44:21-04:00" +draft: true +--- +Post about fiddling with Tails. Maybe rename to "review of tails"? + +tails notes +- hidetopmenu extension does not work :/ +- screenshot +- store passwords in keepassxc +- installed + sudo apt-get install vim-{nox,scripts} qalculate-gtk gnome-shell-extension-{autohidetopbar,hide-activities,manager} + +- gnome boxes setup + - enable efi + - resizing img to enable persistent storage +- tails setup + - enable persistent storage + - enable admin password (to install stuff) + - gnome + - dark mode + - dark desktop bg + - set meta-h to to full height + - terminal: + - dark theme + - disable bell + - disable scrollbar + - tor browser: loses these settings on restart... + - set ddg.onion as default search + - set home page and new tab to blank + - disable letterboxing (about:config) + - sites + - ddg.onion + - load ddg settings from cloud storage w/password + - wikipedia + - set dark mode + - set wide view +- working .gitconfig: + amnesia@amnesia:~$ cat .gitconfig + [http] + proxy = socks5h://127.0.0.1:9050/ + [https] + proxy = socks5h://127.0.0.1:9050/ +- save all gnome settings with `dconf dump /` > dconf.txt + +- several apps don't honor dark mode + - onion circuits diff --git a/content/posts/2025-06-07-uninstall-facebook.md b/content/posts/2025-06-07-uninstall-facebook.md new file mode 100644 index 0000000..904d43b --- /dev/null +++ b/content/posts/2025-06-07-uninstall-facebook.md @@ -0,0 +1,132 @@ +--- +slug: uninstall-facebook +title: "Uninstall Facebook" +date: "2025-06-07T18:08:27-04:00" +--- +You should immediately remove the Facebook and Instagram apps from +your Android devices: + +> We disclose a novel tracking method by Meta and Yandex potentially +> affecting billions of Android users. We found that native Android +> apps—including Facebook, Instagram, and several Yandex apps including +> Maps and Browser—silently listen on fixed local ports for tracking +> purposes. +> +> ... +> +> This web-to-app ID sharing method **bypasses typical privacy +> protections such as clearing cookies, Incognito Mode and Android's +> permission controls. Worse, it opens the door for potentially +> malicious apps eavesdropping on users’ web activity.** (emphasis mine) + +[Source][local mess] + +[Ars Technica][] also has [an excellent summary][]. + +In English: If you have the Facebook app or Instagram app installed on +your Android device, then Meta may have secretly collected your identity +and your browsing history. + +This is true even if you don't have a Facebook account. It's true even +if you don't use the Facebook app. It's true even if you took steps to +hide your browsing history like clearing cookies or using a private +browser window. + +On June 3rd, Meta claimed that the code responsible had "been almost +complete removed"; this is [weasel wording][] which actually means "the +code has not been removed". + +Even if Meta actually did remove the code from their apps, there are +still several problems: + +1. Meta has an [atrocious privacy record][]. It would be foolish to + take Meta at their word and they have a strong incentive to try + this again or something similar in the future. +2. Removing code does not address the information Meta has already + collected. This information could be leaked in a data breach or + subpoenaed by law enforcement. +3. Malicious or [trojaned][] apps could listen on the same local ports + and collect the same information. The [Local Mess][] researchers + demonstrated this with a proof-of-concept app. + +Additional privacy recommendations: + +1. Prefer web sites over apps. Many services use [deceptive patterns][] + to trick you into using an app instead of a web site. They do this + because an app can collect more information about you than a web site. +2. Remove unused and rarely used apps. +3. Stop using Google Search. I recommend [DuckDuckGo][]. +4. [Stop using Google Chrome][ditch-chrome]. I recommend [Firefox][] + with [uBlock Origin][] and some [configuration + changes][firefox-privacy]. Some folks swear by [DuckDuckGo Browser][], + but I haven't used it myself. See also: [The case for ditching + Chrome][vox-chrome]. If you really do need Chrome or Edge, then at + least install [uBlock Origin Lite][]. +5. Switch from Microsoft Windows to [Linux][]. I recommend [Ubuntu][] + for new users. I use [Debian][debian]. If you really do need + Windows, then at least [disable Windows telemetry][]. +6. Switch from text messaging and WhatsApp (owned by Meta) to [Signal][]. +7. Set up [Pi-hole][] on your home network. It has an easy-to-use web + interface and can help block ads and tracking on mobile devices and + "smart" TVs. +8. Consider [Tor Browser][] or [Tails][] if the you need more protection + and are willing to accept some tradeoffs. + +Further reading: [Surveilance Self Defense][ssd] + +[local mess]: https://localmess.github.io/ + "Local Mess: Tracking method used by Facebook, Instagram, and Yandex Android apps which bypasses privacy protection." +[atrocious privacy record]: https://en.wikipedia.org/wiki/Privacy_concerns_with_Facebook + "Privacy concerns with Facebook (Wikipedia)" +[ars technica]: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ + "Ars Technica" +[an excellent summary]: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ + "Ars Technica: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers" +[weasel wording]: https://en.wikipedia.org/wiki/Weasel_word + "Weasel word: Word or phrase aimed at creating an impression that something specific and meaningful has been said, when in fact only a vague, ambiguous, or irrelevant claim has been communicated (Wikipedia)" +[fingerprint]: https://www.amiunique.org/fingerprint + "fingerprint" +[trojaned]: https://en.wikipedia.org/wiki/Trojan_horse_(computing) + "Trojan horse (Wikipedia)" +[firefox]: https://www.mozilla.org/en-US/firefox/new/ + "Mozilla Firefox web browser" +[ublock origin]: https://en.wikipedia.org/wiki/UBlock_Origin + "uBlock Origin ad-blocker" +[ditch-chrome]: {{< relref "posts/2023-12-02-firefox-redux.md" >}}#why-ditch-chrome + "Why Ditch Chrome?" +[brave]: https://en.wikipedia.org/wiki/Brave_(web_browser) + "Brave web browser" +[duckduckgo browser]: https://duckduckgo.com/app/ + "DuckDuckGo web browser" +[firefox-privacy]: https://cyberinsider.com/firefox-privacy/ + "Firefox Privacy Checklist" +[duckduckgo]: https://duckduckgo.com/ + "DuckDuckGo search engine" +[tor browser]: https://www.torproject.org/download/ + "Tor Browser" +[tor network]: https://www.torproject.org/ + "Tor network" +[linux]: https://en.wikipedia.org/wiki/Linux + "Linux operating system" +[debian]: https://debian.org/ + "Debian Linux" +[ubuntu]: https://ubuntu.com/ + "Ubuntu Linux" +[disable windows telemetry]: https://windowsreport.com/disable-windows-11-telemetry/ + "Disable Windows 11 telemetry" +[pi-hole]: https://en.wikipedia.org/wiki/Pi-hole + "Pi-hole" +[raspberry pi]: https://en.wikipedia.org/wiki/Raspberry_Pi + "Small single-board computer." +[signal]: https://signal.org/ + "Signal secure messenger" +[ssd]: https://ssd.eff.org/ + "Surveilance Self Defense" +[tails]: https://tails.net/ + "Tails: portable operating system that protects against surveillance and censorship" +[vox-chrome]: https://www.vox.com/technology/387375/google-chrome-antitrust-privacy-android + "The case for ditching Chrome (vox.com)" +[ublock origin lite]: https://en.wikipedia.org/wiki/UBlock_Origin#uBlock_Origin_Lite + "Manifest V3 version of uBlock Origin for Google Chrome, Microsoft Edge, and other Chromium-based browsers." +[deceptive patterns]: https://www.deceptive.design/types + "Types of deceptive patterns" diff --git a/content/posts/2025-06-08-armbian-on-odroid-n2l.md b/content/posts/2025-06-08-armbian-on-odroid-n2l.md new file mode 100644 index 0000000..3443adf --- /dev/null +++ b/content/posts/2025-06-08-armbian-on-odroid-n2l.md @@ -0,0 +1,145 @@ +--- +slug: armbian-on-odroid-n2l +title: "Armbian on Odroid N2L" +date: "2025-06-08T15:31:00-04:00" + +pics: + n2l: + css: "image" + tip: "Odroid N2L running Armbian." + sources: + - "/files/posts/armbian-on-odroid-n2l/n2l-1024.webp" + - src: "/files/posts/armbian-on-odroid-n2l/n2l-1024.png" + width: 1024 + height: 771 +--- + +Last week I installed [Armbian][] on an [Odroid N2L][]. The +installation steps, installation results, and fixes for some problems +are documented below. + +### Installation + +1. Download and import the [signing key][armbian-key] (fingerprint + `DF00FAF1C577104B50BF1D0093D6889F9F0E78D5`): \ + `wget -O- https://apt.armbian.com/armbian.key | gpg -- import -` +2. Download the current "Debian 12 (Bookworm)" image and the [detached + signature][asc] from the "Minimal/IOT images" section of the [Armbian + Odroid N2L page][armbian-n2l]. +3. Verify the [signature][asc]: \ + `gpg --verify Armbian_community_25.8.0-trunk.8_Odroidn2l_bookworm_current_6.12.28_minimal.img.xz{.asc,}` +4. Uncompress the image: \ + `unxz Armbian_community_25.8.0-trunk.8_Odroidn2l_bookworm_current_6.12.28_minimal.img.xz` +5. Flash the uncompressed image to a [microSD][] card: \ + `sudo dd if=Armbian_community_25.8.0-trunk.8_Odroidn2l_bookworm_current_6.12.28_minimal.img of=/dev/sda bs=1M status=progress` +6. Mount the second partition of the [microSD][] card on `/mnt/tmp`: \ + `sudo mount /dev/sda2 /mnt/tmp` +7. Use the instructions and template from [Automatic first boot + configuration][armbian-autoconfig] to populate + `/mnt/tmp/root/.not_logged_in_yet`. My populated autoconfig is + [here][populated-autoconfig], but **it did not work as expected**; + see below. +8. Unmount the second partition of the [microSD][] card. +9. Insert the [microSD][] card into the [Odroid N2L][] and power it on. + +### Installation Results + +Worked as expected: + +- Successfully booted. +- Successfully connected to [WiFi][] on first boot. + +Did not work as expected: + +- Did not connect to WiFI on subsequent boots. +- Did not set the root password. Instead the root password was `1234`. +- Did not set the user password. +- Did not set the user SSH key. + +### Fixes + +To correct these problems I connected a keyboard and monitor and did the +following: + +1. Logged in as `root` with the password `1234`. +2. Changed the root password and the user password. +4. Edited `/etc/netplan/20-eth-fixed-mac.yaml` and fixed the + errors. The corrected version is below. +5. Ran `netplan apply` to apply the corrected network configuration. +6. Rebooted to confirm that networking was working as expected. + +Here is the corrected `/etc/netplan/20-eth-fixed-mac.yaml`: + +```yaml +network: + version: 2 +``` + + +After fixing networking, I did the following: + +1. Copied my SSH key. +2. Edited `/etc/ssh/sshd_config` to disable root logins and password + logins. +3. Ran `apt-get update && apt-get upgrade`. +4. Installed `unattended-upgrades`. +5. Rebooted to pick up the latest updates. + +<!-- + +### Conclusion + +Many non-[Pi][] [SBCs][sbc] manufacturers stop providing software +shortly after the hardware is released. Owners are stuck with +unsupported hardware running out-of-date software. + +Case in point: The latest download on the [Odroid N2L wiki][] is Ubuntu +22.04. + +I'm thrilled that [Armbian][] + +original unused blather ... + +[Armbian][] now supports the [Odroid N2L][] as a [community maintained +target][armbian-n2l]. + +Context: A couple of years ago Nadine bought me a pair of [Odroid +N2Ls][odroid n2l]. [Pi 4s][pi] were scarce because of supply chain +issues, and the [Odroid N2L][] seemed like a decent substitute. + +The problem with non-[Pi][] [SBCs][sbc] is that the manufacturers +invariably stop providing software updates shortly after release, so you +are stuck with unsupported hardware running an out of date OS. + +As of this writing, the [Odroid N2L wiki][] still has the same software +that it did when first got the hardware: Ubuntu 22.04. +--> + +[{{< pe-figure "n2l" >}}][n2l-pic] + +[armbian]: https://www.armbian.com/ + "Linux for ARM development boards" +[odroid n2l]: https://www.hardkernel.com/shop/odroid-n2l-with-4gbyte-ram/ + "Odroid N2L ARM A73 SBC" +[pi]: https://en.wikipedia.org/wiki/Raspberry_Pi + "Raspberry Pi" +[sbc]: https://en.wikipedia.org/wiki/Single-board_computer + "single-board computer (SBC)" +[armbian-n2l]: https://www.armbian.com/odroid-n2l/ + "Armbian for the Odroid N2L" +[odroid n2l wiki]: https://wiki.odroid.com/getting_started/os_installation_guide#tab__odroid-n2l + "Odroid Wiki: Odroid N2L" +[n2l-pic]: /files/posts/armbian-on-odroid-n2l/n2l.jpg + "Odroid N2L running Armbian" +[armbian-autoconfig]: https://docs.armbian.com/User-Guide_Autoconfig/ + "Armbian Documentation: Automatic first boot configuration" +[asc]: https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Digital_signatures + "Detached PGP signature" +[armbian-key]: https://apt.armbian.com/armbian.key + "Armbian PGP signing key" +[populated-autoconfig]: /files/posts/armbian-on-odroid-n2l/odroid-n2l-root_not_logged_in_yet.txt + "Populated automatic first boot configuration file" +[microsd]: https://en.wikipedia.org/wiki/SD_card#microSD + "microSD memory card" +[wifi]: https://en.wikipedia.org/wiki/Wi-Fi + "Wireless networking" diff --git a/content/posts/2025-06-08-nginx-caching-and-security-headers.md b/content/posts/2025-06-08-nginx-caching-and-security-headers.md new file mode 100644 index 0000000..54cd4a0 --- /dev/null +++ b/content/posts/2025-06-08-nginx-caching-and-security-headers.md @@ -0,0 +1,27 @@ +--- +slug: nginx-caching-and-security-headers +title: "Nginx Caching and Security Headers" +date: "2025-06-08T13:16:00-04:00" +--- + +Yesterday I ported the [caching and security headers][apache-config] +from the [Apache][] configuration for the public site to the [Nginx][] +configuration for the [Tor mirror][]. + +The caching headers are particularly helpful for the [Tor mirror][]. + +The updated [Nginx][] configuration and additional documentation are +here: [Site Backend - Onion Service][onion-service]. + +[apache-config]: {{< relref "articles/site-backend" >}}#apache-configuration + "Site Backend - Apache Configuration" +[apache]: https://apache.org/ + "Apache web server" +[nginx]: https://nginx.org/ + "Nginx web server" +[onion-service]: {{< relref "articles/site-backend" >}}#onion-service + "Site Backend - Onion Service" +[tor mirror]: {{< relref "posts/2025-05-18-onion-service-mirror" >}} + "Tor Site Mirror" +[tor network]: https://torproject.org/ + "Tor project" diff --git a/content/posts/2025-06-08-old-openvpn-article.md b/content/posts/2025-06-08-old-openvpn-article.md new file mode 100644 index 0000000..67f2ccf --- /dev/null +++ b/content/posts/2025-06-08-old-openvpn-article.md @@ -0,0 +1,36 @@ +--- +slug: old-openvpn-article +title: "Old OpenVPN Article" +date: "2025-06-08T11:52:22-04:00" +--- + +In 2006 [I wrote an article about OpenVPN][article-post] for the +now-defunct [Linux Magazine][]. This week I found a copy of the 2006 +article on the [Wayback Machine][]: + +[Casting Your Net with OpenVPN (Wayback Machine)][article] + +In 2025 you should prefer [Wireguard][] over [OpenVPN][] because +[Wireguard][] is [faster, more secure, and easier to use][wg-reasons]. + +Fun factoid: The [AWS Client VPN][] is just an [AWS][]-branded build of +the [OpenVPN][] client. + +[article-post]: {{< relref "posts/2006-03-19-openvpn-article-in-linux-magazine" >}} + "OpenVPN Article in Linux Magazine" +[linux magazine]: https://web.archive.org/http://www.linux-mag.com/ + "Linux Magazine" +[wayback machine]: https://web.archive.org/ + "Wayback Machine" +[article]: https://web.archive.org/web/20070812003116/http://www.linux-mag.com/id/2502' + "Casting Your Net with OpenVPN (Wayback Machine)" +[aws]: https://aws.amazon.com/ + "Amazon Web Services (AWS)" +[aws client vpn]: https://aws.amazon.com/vpn/client-vpn-download/ + "AWS Client VPN" +[openvpn]: https://openvpn.net/ + "OpenVPN" +[wg-reasons]: {{< relref "posts/2021-11-06-wireguard-is-awesome" >}} + "Wireguard is Awesome" +[wireguard]: https://wireguard.com/ + "Wireguard" diff --git a/content/posts/2025-10-04-polycvss-v0.2.0.md b/content/posts/2025-10-04-polycvss-v0.2.0.md new file mode 100644 index 0000000..49d20f7 --- /dev/null +++ b/content/posts/2025-10-04-polycvss-v0.2.0.md @@ -0,0 +1,143 @@ +--- +slug: polycvss-v0.2.0 +title: "polycvss v0.2.0" +date: "2025-10-04T03:15:48-04:00" +--- +I just released [polycvss][] version 0.2.0. + +[polycvss][] is a [Rust][] library to parse and score [CVSS][] vector +strings. + +Features: + +- [CVSS v2][doc-v2], [CVSS v3][doc-v3], and [CVSS v4][doc-v4] support. +- Version-agnostic parsing and scoring [API][]. +- Memory efficient: Vectors are 8 bytes. Scores and severities are 1 byte. +- No dependencies by default except the standard library. +- Optional [serde][] integration via the `serde` build feature. +- Extensive tests: Tested against thousands of vectors and scores from + the [NVD][] [CVSS][] calculators. + +Here is an example tool which parses the first command-line argument as +a [CVSS][] vector string, then prints the score and severity: + +```rust +use polycvss::{Err, Score, Severity, Vector}; + +fn main() -> Result<(), Err> { + let args: Vec<String> = std::env::args().collect(); // get cli args + + if args.len() == 2 { + let vec: Vector = args[1].parse()?; // parse string + let score = Score::from(vec); // get score + let severity = Severity::from(score); // get severity + println!("{score} {severity}"); // print score and severity + } else { + let name = args.first().map_or("app", |s| s); // get app name + eprintln!("Usage: {name} [VECTOR]"); // print usage + } + + Ok(()) +} +``` + + +Here is the example tool output for a [CVSS v2][doc-v2] vector string, a +[CVSS v3][doc-v3] vector string, and a [CVSS v4][doc-v4] vector string: + +```sh +# test with cvss v2 vector string +$ cvss-score "AV:A/AC:H/Au:N/C:C/I:C/A:C" +6.8 MEDIUM + +# test with cvss v3 vector string +$ cvss-score "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" +9.8 CRITICAL + +# test with cvss v4 vector string +$ cvss-score "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H" +5.2 MEDIUM +``` + + +This example tool is included in the [Git repository][] as +[`src/bin/cvss-score.rs`][cvss-score]. + +### Links + +- [polycvss Git repository][polycvss] +- [polycvss package on crates.io][crates-io-polycvss] +- [polycvss API Documentation on docs.rs][docs-rs-polycvss] + +**Updates** + +- 2025-10-12: [polycvss v0.2.1][]: Add [`polycvss::v4::Nomenclature`][v4-nomenclature] and improve documentation. +- 2025-10-18: [polycvss v0.3.0][]: Add user-friendly `Error` messages, remove unreleased CVSS v2.x `Version` variants, and improve documentation. +- 2025-10-19: [polycvss v0.3.1][]: Documentation improvements. +- 2025-11-16: [polycvss v0.3.2][]: Add `impl From<Vector> for Severity` + and `examples/` directory. + +[html]: https://en.wikipedia.org/wiki/HTML + "HyperText Markup Language" +[rust]: https://rust-lang.org/ + "Rust programming language." +[cvss]: https://www.first.org/cvss/ + "Common Vulnerability Scoring System (CVSS)" +[doc-v2]: https://www.first.org/cvss/v2/guide + "CVSS v2.0 Documentation" +[doc-v3]: https://www.first.org/cvss/v3-1/specification-document + "CVSS v3.1 Specification" +[doc-v4]: https://www.first.org/cvss/v4-0/specification-document + "Common Vulnerability Scoring System (CVSS) version 4.0 Specification" +[bit-field]: https://en.wikipedia.org/wiki/Bit_field + "Bit field (Wikipedia)" +[cvss-score]: https://github.com/pablotron/polycvss/blob/main/src/bin/cvss-score.rs + "Example command-line tool which parses a CVSS vector and prints the score and severity to standard output." +[git repository]: https://github.com/pablotron/polycvss + "polycvss git repository" +[polycvss]: https://github.com/pablotron/polycvss + "polycvss Rust library" +[v2-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator + "NVD CVSS v2 calculator" +[v3-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator + "NVD CVSS v3 calculator" +[v4-calc]: https://nvd.nist.gov/site-scripts/cvss-v4-calculator-main/ + "NVD CVSS v4 calculator" +[cargo]: https://doc.rust-lang.org/cargo/ + "Rust package manager" +[podman]: https://podman.io/ + "Podman container management tool" +[docker]: https://docker.com/ + "Docker container management tool" +[api]: https://en.wikipedia.org/wiki/API + "Application Programming Interface (API)" +[linter]: https://en.wikipedia.org/wiki/Lint_(software) + "Static code analysis tool to catch common mistakes" +[src-v2-rs]: src/v2.rs + "CVSS v2 parsing and scoring" +[src-v3-rs]: src/v3.rs + "CVSS v3 parsing and scoring" +[src-v4-rs]: src/v4.rs + "CVSS v4 parsing and scoring" +[nvd]: https://nvd.nist.gov/ + "National Vulnerability Database (NVD)" +[cvss-calcs]: https://github.com/pablotron/cvss-calcs + "Generate random CVSS vector strings and score them." +[crates.io]: https://crates.io/ + "Rust package registry" +[docs-rs-polycvss]: https://docs.rs/polycvss + "polycvss API documentation on docs.rs" +[crates-io-polycvss]: https://crates.io/crates/polycvss + "polycvss on crates.io" +[serde]: https://serde.rs/ + "Rust serializing and deserializing framework." +[polycvss v0.2.1]: https://github.com/pablotron/polycvss/releases/tag/0.2.1 + "polycvss version 0.2.1" +[polycvss v0.3.0]: https://github.com/pablotron/polycvss/releases/tag/0.3.0 + "polycvss version 0.3.0" +[polycvss v0.3.1]: https://github.com/pablotron/polycvss/releases/tag/0.3.1 + "polycvss version 0.3.1" +[polycvss v0.3.2]: https://github.com/pablotron/polycvss/releases/tag/0.3.2 + "polycvss version 0.3.2" +[v4-nomenclature]: https://docs.rs/polycvss/latest/polycvss/v4/enum.Nomenclature.html + "polycvss::v4::Nomenclature documentation." diff --git a/content/projects/polycvss.md b/content/projects/polycvss.md new file mode 100644 index 0000000..eddea7a --- /dev/null +++ b/content/projects/polycvss.md @@ -0,0 +1,10 @@ +--- +title: "polycvss" +slug: "polycvss" +active: true +repo: "https://github.com/pablotron/polycvss" +text: "Self-contained C11 SHA-3 implementation." +text: "Rust library for CVSS vector string parsing and score calculation." +text: "Rust library to parse and score CVSS vector strings." +--- +Rust library to parse and score CVSS vector strings. |