make install;

some notes to myself



Building Copperhead OS for the Pixel XL

Written on January 20, 2018

Notes for building Copperhead OS for the Pixel XL. (gist here: This was done on Ubuntu 14.04.5 LTS, using GNU Make 3.81 (3.81-8.2ubuntu3) and Python 2.7.6 (2.7.6-8ubuntu0.2), as recommended on All below instructions are specific to the Pixel XL (marlin) and come from

Read More

Docker(strongSwan + MySQL + bitcoin + Spring Boot)

Written on January 2, 2018

I wanted to get some hands-on experience with Docker and Spring Boot, so I built a Spring Boot webapp, and have put together Docker images to tie it together with Bitcoin Core, strongSwan, and a database. Oh, also, it is absolutely no fun trying to choose a VPN service. I’m not aware of any VPN providers that offer certificate-based authentication for IKEv2/IPsec. Given the current transaction fees and confirmation delays with Bitcoin, it would make sense to go with a different cryptocurrency. You can clone the most up-to-date instance of this project here.

Read More

F5 WAF Suckage

Written on November 11, 2017

We use F5’s Application Security Module (ASM) as our WAF at work, and it sucks!

Read More

GnuPG card setup

Written on April 18, 2017

I recently obtained a GnuPG card (v2.1) from Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).

Read More

pfSense & Ubuntu/Strongswan for VPN

Written on February 23, 2017

Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.

Read More

Simple Sandbox

Written on November 6, 2016

The Gentoo documentation has a tutorial on setting up a simple sandbox. The simplest of all sandboxing methods uses discretionary access controls - on a Linux machine, these are user/group ownership and permissions. No seccomp, no user namespaces, no SELinux.

Read More

Feeding /dev/random

Written on June 25, 2016

Recently I was generating two 4096-bit RSA keys for PGP encryption & signing… and it took nearly 6 minutes for me. I can’t wait that long! GPG uses /dev/random as the RNG when generating a new key pair and there is no way to use /dev/urandom without modifying the GPG code.

Read More

IPsec server details

Written on May 8, 2016

IPsec is (as far as most people know) a secure (you aren’t using a PSK, I hope) - yet complex - way to secure IP traffic. It supports IP traffic confidentiality and integrity and can be used to build a VPN. strongSwan is an IPsec implementation available for Linux that I’ve been using for over a year now.

Read More


Written on April 2, 2016

pfSense is a FreeBSD-based firewall/security-focused distribution. It can act as a firewall, router, DHCP server, DNS server. It also has a package manager with some security related packages. I’ve been playing around with it for the past couple of weeks.

Read More

Switching back to Ubuntu

Written on September 27, 2015

Eight or nine years ago, when I was first getting into Linux, I played around with a few distributions and ultimately ended up settling on Ubuntu. It was simple to install, easy to use, and had good driver support for the laptop I was using at the time.

Read More

Smartcard unlock encrypted /root

Written on September 6, 2015

It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?

Read More

SDR and airplane transponders

Written on August 24, 2015

One project that I’ve just started fooling around with involves airplane transponder transmissions. It turns out that with a software-defined radio USB dongle (<$30 on Amazon or <$10 on Ebay from Hong Kong) you can grab the transponder signals from planes (which (generally) have data elements such as ICAO code, altitude, speed,lat, long, etc.).

Read More

Moving away from Gmail

Written on July 5, 2015

Recently I mentioned to an acquaintance that I was setting up a mail server so that I could move away from Gmail. He asked me if I was using Mail-in-a-Box. I had no idea what that was - I was going through some instructions from Ars that I had used previously.

Read More