privsec-dev / privsec.dev Goto Github PK

Thanks for writing Using Native ZFS Encryption with Proxmox!

A feedback for that article - for reference, in the latest Proxmox 8, I had to place authorized_keys and dropbear.conf under /etc/dropbear/initramfs/ for them to work.

dropbear-bin/stable,now 2022.83-1 amd64
dropbear-initramfs/stable,now 2022.83-1 all

Also, I think it's worth mentioning that dropbear can be configured before encrypting the pool - it would be a bit easier to type in the password 😂.

I've just read https://privsec.dev/posts/android/f-droid-security-issues/ and am deciding to switch to a different F-Droid client to avoid some of the issues mentioned there (e.g. targeting an higher Android API level to make use of better sandbox features, not requiring a privileged extension with questionable security practices for batch updates while still allowing batch updates).

The post mentions that

Droid-ify (recently rebranded to Neo-Store) seems to be a better option than the official client in most aspects.

However, both Droid-ify and Neo-Store seem to be alive and well:

• https://github.com/Droid-ify/client
• https://github.com/NeoApplications/Neo-Store

What has happened here? Should I use Droid-ify or Neo-Store instead of F-Droid, or are they equivalent from a security standpoint?

Width and height should be specified at build time.

Says "generally people with technical knowledge and work in the field." Should be "generally people with technical knowledge that work in the field."

https://privsec.dev/about

Edit: also a spelling error: "we are not affiliated, associiated " should be "we are not affiliated, associated "

Advice in https://privsec.dev/posts/linux/docker-and-oci-hardening/#the-no_new_privs-bit works only as

    security_opt:
      - "no-new-privileges=true"

when I tested it with Docker version 24.0.7 and Docker Compose version v2.21.0.

Regarding:
https://privsec.dev/posts/linux/desktop-linux-hardening/#dnssec

You might like this wiki page:
https://www.kicksecure.com/wiki/DNS_Security

Missing topics:

• DNSSEC validating vs non-validating
• DNS encryption (DoT, DoH)

I recommend making a Windows guide to improve everyone's privacy & security. Here are two examples (both of which I assisted making in one capacity or another)

https://thenewoil.org/en/guides/moderately-important/desktop-settings/

https://discuss.privacyguides.net/t/windows-guide/250/4
https://deploy-preview-1659--privacyguides.netlify.app/windows/overview/#issues-present-in-windows
Finally there is the beerisgood guides to consider as well
https://github.com/beerisgood/Windows11_Hardening
https://github.com/beerisgood/Windows11_Privacy

• Facilitate internal content linking via UUID
  • Convert all internal links
• Permalinks for external usage (implementation TBD)

The Proxmox with native ZFS guide doesn't have any tamper protection anyways, so it is not the end of the world without these. However, it will be good practice to

• Not setup LetsEncrypt until the ZFS root dataset is already encrypted
• Rotate the server SSH keys after the dataset is encrypted
• Change the root password (just generally good practice to not expose the hash of the root practice I suppose)

I'm experiencing some buggy behavior when visiting your site from a WebKit browser—in this case, Safari.

Consecutively clicking through 3 or so pages on your site results in the webpage crashing:

And if it's of any help, these are the error messages that appear in the console:

I haven't experienced any similar issues on other sites, so I do think it's on your guys' end.

Here are more concrete sources than just the forum thread.
https://divestos.org/misc/e.txt

I have 2 related suggestions for the guide for the Mullvad VPN on Qubes OS guide.

1. Since November 20, 2023, Mullvad VPN is available via package repositories for Ubuntu/Debian and Fedora. If possible, I think this update could be worked into the guide.
   • This means that updating Mullvad VPN in the Fedora TemplateVM should be hypothetically easier now, once the repository is set up.
2. Also, I think the fine details should be verified after Qubes OS 4.2.0 on December 18, 2023, which includes: "[d]efault Fedora and Debian templates use Xfce instead of GNOME".
   • I'm not sure if this will make removing unneeded packages out of the Fedora TemplateVM easier, based on these changes in Qubes OS 4.2.0, as some readers will be following this guide from a new Qubes OS 4.2.0+ installation.

Basically title.

Some personal digging pointed me towards https://github.com/Kicksecure/security-misc/tree/master/usr/lib/sysctl.d/ becoming the new link. I might be wrong though*.

Btw, I love your work! Thank you so much! Much appreciated!

fdroid targets 28 now and fdriod basic (what a bizarre name) targets 33 for non system app unattended updates

The article Desktop Linux Hardening states disk encryption requires an OS reinstall if it was not enabled on first install. However, it is now possible to encrypt-in-place using cryptsetup's reencrypt feature (using --encrypt argument), which converts a currently unencrypted partition into a LUKS container. Although this approach does require a small amount of free space available at the end of the partition for the new LUKS header (applied using another argument), I have personally used this feature and it works as intended.

Despite the unencrypted data being leaked on the disk due to previously being written unencrypted, the same occurs with an OS reinstall without writing random data such as /dev/urandom when using a HDD, or impossible on an SSD without physical destruction (since ATA Secure Erase can't be trusted to have been implemented correctly without testing beforehand), so it shouldn't be an issue in this aspect.

While i3 does not support wayland, sway, which you recommend above recommending against i3, is a drop-in replacement for i3and I think this should be made apparent here, so people can switch to that if they are currently using i3 or planned to use it.

The post currently uses a cronjob. I need to update this to a launchd service that runs every 30 seconds later.

h4, h5, and h6 are currently smaller than body text. Font sizes are hardcoded upstream (adityatelange/hugo-PaperMod#541).