GrapheneOS & Privacy

Intro This post explores the option of using GrapheneOS as an alternative to iOS and Android. The main motivator is the ongoing privacy debate that has gained even more traction as Apple announced their child sexual abuse material (CSAM) protection system. Hear what privacy advocate Matthew Green thinks about CSAM on CNBC. The question I want to answer in this post is: Is there a viable alternative to iOS and Android for me that values privacy?...

September 5, 2021 路 9 min 路 pat, p15r

Installing Ubuntu 20.04 on Thinkpad X1 Gen9

tl;dr Upgrade kernel to 5.13 & upgrade linux-firmware. Basically, everything works out of the box when installing a vanilla Ubuntu 20.04 (LTS) on the Lenovo Thinkpad X1 Gen9 馃. However, the fan control is not optimal which leads to fan noise and slightly higher chipset temperatures. This issue can be addressed by upgrading the kernel and related firmware: Upgrade Bios to v1.44 (N32ET68W): use fwupdmgr or manually upgrade from Lenovo鈥檚 bootable ISO (n32ur09w....

August 2, 2021 路 2 min 路 pat, p15r

Distributey

Recently, I have been working on a new evening/weekend project that I would like to share as it might be useful to others as well. tl;dr distributey acts as intermediary between a key consumer and a key service. It receives requests from the key consumer, fetches the key material from the key service and sends back JWE-wrapped (RFC7516) responses. Why does distributey (say 鈥渄uh路stri路byoot路i鈥) exist? Particularly in enterprises, key material is often generated on-premises for compliance & security reasons....

November 28, 2020 路 2 min 路 pat, p15r

AZ DevOps API Authentication using AAD as Authority

TL; DR: Use MSAL and OAuth ROPC with scope 499b84ac-1321-427f-aa17-267ca6975798/user_impersonation. Microsoft鈥檚 Graph API (MS Graph) [1] is a convenient way to access a vast amount of Azure data programmatically. Its use is straight forward and generally speaking painless. However, there are still many Azure services APIs that haven鈥檛 been integrated, such as the Azure DevOps API (AZ DevOps) [2]. The AZ DevOps API originates from the Team Foundation Server (TFS) which had its API designed long before MS Graph....

May 14, 2020 路 10 min 路 pat, p15r

Proxifying an HTTP connection

Recently, I ran into the situation where I needed a piece of software, running inside a corporate network, to communicate with a backend service on the internet. The challenge was that, in order to reach the internet, the communication had to go through a forward proxy. However, the software did not have built-in proxy support. This post addresses some options to solve that problem, although not all of them in the same depth....

May 4, 2020 路 5 min 路 pat, p15r

k8s Operator

Intro When I recently decided to port a 鈥渘on-containerized鈥 application onto Kubernetes, I struggled to find a solid approach to manage its lifecycle (deploy, upgrade, rollback, resize, etc.). It seems that most solutions involve delegating logic to a human or some custom scripts that need to be developed for every application. This, of course, is far from ideal. Thankfully, CoreOS came up with a solution called Operators. What is an Operator?...

December 1, 2019 路 5 min 路 pat, p15r

Host firewall & libvirt conflict

Libvirt takes care of networking, whether a VM is in NAT or bridge mode. In order to enable proper networking, libvirt manages some iptables rules. However, if the host firewall is not aware of changes made to iptables by libvirt and vice versa, conflicts must be expected. Think of the following situation: A VM is NAT-ed and provides a webservice. In order to make the service accessible, a port-forwarding iptables rule is necessary to forward packets from the hypervisor to the VM....

August 6, 2019 路 4 min 路 pat, p15r

State of application-level network filtering on Linux

TL;DR: Serious application-level network filtering on Linux is possible using netfilter NFQUEUE. However, NFQUEUE is a low-level facility for developers. Wait until firewall solutions are created that provide abstraction through a user-friendly interface. Update 14.02.2019: systemd is using cgroupsv2 in combination with bpf to enable per systemd-unit firewalling: https://www.youtube.com/watch?v=_obJr3a_2G8&app=desktop https://github.com/systemd/systemd/pull/6764 Application-level network filtering using iptables The 鈥渙wner鈥 module The owner module allows to filter outgoing network traffic: iptables -A OUTPUT -m owner --uid-owner 0 -j LOG iptables -A OUTPUT -m owner --uid-owner 0 -j DROP Use cases:...

August 6, 2019 路 6 min 路 pat, p15r

A simple homelab setup

I recently played around with various setups for my new home lab. One setup is fairly simple and old-fashioned, yet I like its flexibility: a virtualization environment using bridge mode. This post is a write up using KVM and libvirt for such an installation. Setup The hypervisor machine is a single host, directly connected to a untrusted network (like the Internet). Consequently, network security must be taken into consideration. Simply bridging all virtual machines (VMs) to the Internet might not be a wise move....

August 6, 2019 路 7 min 路 pat, p15r

i3wm key modes aka submenus

Recently, I discovered the i3 key mode feature. Immediately, I configured two scenarios for better i3 control: management of music/video and (external) screens. The configuration for either scenario is straight forward. Here is my config for the management of music and video: set $mode_playerctl "playerctl: [p]lay/[p]ause [n]ext [b]ack" bindsym $mod+m mode $mode_playerctl mode $mode_playerctl { bindsym p exec playerctl play-pause; mode "default" bindsym n exec playerctl next; mode "default" bindsym b exec playerctl previous; mode "default" bindsym Return mode "default" bindsym Escape mode "default" } As any i3 user realizes quickly, the number of shortcuts to configure with any keyboard comes with a finite number of possibilities....

August 6, 2019 路 2 min 路 pat, p15r

Chicken-and-egg problem with Ansible and Fedora 27

Ansible support of Python 3.x is crucial and works out-of-the-box: 鈥淎nsible 2.5 and above have support for Python 3.鈥 (Ansible docs) However, the combination of Ansible and Fedora 27 (and maybe also Fedora 28?) causes a chicken-and-egg problem under certain circumstances. The problem Fedora ships only Python 3.x and recently removed Python 2.x from the base install. As part of a transition phase of moving from Python 2.x to Python 3....

August 6, 2019 路 2 min 路 pat, p15r

i3 tiling WM configuration

Update 31.07.2018: I added i3 key modes to my config: i3wm-keymodes You can read about my default Linux desktop setup here. This post focuses on i3, my favorite (tiling) window manager. The i3 configuration is straight forward. I am using the default settings with some additional tweaking for personal preferences. Custom config This is my customization of the i3 config (living in ~/.config/i3/config): #notifications, see desc below exec --no-startup-id /usr/lib64/xfce4/notifyd/xfce4-notifyd # NetworkManager GUI exec --no-startup-id /usr/bin/nm-applet # xfce power management (pkg: xfce4-power-manager) exec --no-startup-id /usr/bin/xfce4-power-manager # switch keyboard layouts (pkg: ibus-setup) exec --no-startup-id ibus-daemon --daemonize # enable tap-to-click for touchpad exec --no-startup-id xinput set-prop "SynPS/2 Synaptics TouchPad" "libinput Tapping Enabled" 1 # KDE's system monitor (pkg: ksysguard) exec --no-startup-id ksysguard # firewalld GUI exec --no-startup-id /usr/bin/firewall-applet # shortcut to lock screen (similar to Windows) (pkg: i3lock) bindsym $mod+l exec /usr/bin/i3lock -c 39004d # rename i3 workspaces at runtime bindsym $mod+r exec i3-input -F 'rename workspace to "%s"' -P 'New name: ' # I use terminator instead of xterm....

August 6, 2019 路 3 min 路 pat, p15r

Blocking ads and malware related traffic at network perimeter

One of my security controls in my home lab is to block certain DNS traffic (and IP address-based traffic, of course). It is basically ads and malware related traffic that I filter. A convenient place to do this, is the network perimeter. Adding protection here, safeguards all clients (laptops, gaming consoles, smartphones, etc.) within the network. Currently, I am using a pfsense package called pfBlockerNG [1], which blocks DNS traffic for me....

August 6, 2019 路 1 min 路 pat, p15r

My Linux Desktop

Since I have been asked quiet frequently about my Linux desktop setup, I decided to write about it. Do not expect this blog post to be a nicely written article. Instead, expect a collection of settings and tweaks that I use to create a comfortable Linux desktop environment. Please note, that this post is work in progress and will be updated over time. Hardware I recently purchased the Lenovo Thinkpad X1 Carbon 6th gen....

August 6, 2019 路 5 min 路 pat, p15r

Thinkpad X1 Carbon 6th Gen

Changelog: 13.03.18: Errata, added information about the GNOME issue 27.05.2019: Last year, Lenovo issued a BIOS upgrade which added a 鈥淟inux鈥 suspend mode, which works smoothly. TL;DR: Linux runs well on the new Thinkpad X1, except suspend to RAM (fingerprint sensor not tested). This post might be updated in the future to inform about Linux updates (e.g. newer kernels, etc.) that improve the experience operating this laptop. Thus, this post is work in progress and is far from being complete....

August 6, 2019 路 15 min 路 pat, p15r