Notes for building Copperhead OS for the Pixel XL. (gist here: https://gist.github.com/ramann/62abe0b266bb8c3e8483c7c7ca60fdb8) This was done on Ubuntu 14.04.5 LTS, using GNU Make 3.81 (3.81-8.2ubuntu3) and Python 2.7.6 (2.7.6-8ubuntu0.2), as recommended on https://source.android.com/setup/requirements#software-requirements. All below instructions are specific to the Pixel XL (marlin) and come from https://copperhead.co/android/docs/building.

I wanted to get some hands-on experience with Docker and Spring Boot, so I built a Spring Boot webapp, and have put together Docker images to tie it together with Bitcoin Core, strongSwan, and a database. Oh, also, it is absolutely no fun trying to choose a VPN service. I’m not aware of any VPN providers that offer certificate-based authentication for IKEv2/IPsec. Given the current transaction fees and confirmation delays with Bitcoin, it would make sense to go with a different cryptocurrency. You can clone the most up-to-date instance of this project here.

We use F5’s Application Security Module (ASM) as our WAF at work, and it sucks!

I recently obtained a GnuPG card (v2.1) from kernelconcepts.de. Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).

Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.

A script to grab the cert for a given domain, and print the date & reason for revocation.

The Gentoo documentation has a tutorial on setting up a simple sandbox. The simplest of all sandboxing methods uses discretionary access controls - on a Linux machine, these are user/group ownership and permissions. No seccomp, no user namespaces, no SELinux.

This walk-through was forked from ageis’ gist on building a grsec-patched kernel for Debian 8 and DigitalOcean.

Recently I was generating two 4096-bit RSA keys for PGP encryption & signing… and it took nearly 6 minutes for me. I can’t wait that long! GPG uses /dev/random as the RNG when generating a new key pair and there is no way to use /dev/urandom without modifying the GPG code.

IPsec is (as far as most people know) a secure (you aren’t using a PSK, I hope) - yet complex - way to secure IP traffic. It supports IP traffic confidentiality and integrity and can be used to build a VPN. strongSwan is an IPsec implementation available for Linux that I’ve been using for over a year now.

pfSense is a FreeBSD-based firewall/security-focused distribution. It can act as a firewall, router, DHCP server, DNS server. It also has a package manager with some security related packages. I’ve been playing around with it for the past couple of weeks.

I first got into Bitcoin back in 2013, before a media frenzy caused the price to skyrocket over $1000. Though it has its problems, I think the blockchain concept is awesome.

Yeah… no.

Details on setting up a de-sensorized (desensitized?) Android phone for use with strongSwan (and USB tethering!). (Other files: https://github.com/ramann/android-tether-vpn )

Since I have a “PKI”-branded smartcard, I decided to see how I could use it with a PKI. I went through a basic PKI tutorial, (http://pki-tutorial.readthedocs.io/en/latest/simple/) but wasn’t sure how I would interface with the smartcard…

Remember that scene at the end of The Conversation where Gene Hackman’s character is seen digging up the floor of his apartment looking for the surreptitious microphone?

Eight or nine years ago, when I was first getting into Linux, I played around with a few distributions and ultimately ended up settling on Ubuntu. It was simple to install, easy to use, and had good driver support for the laptop I was using at the time.

It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?

One of the IT security efforts that the GOVERNMENT OF THE UNITED STATES ;) has been really pushing recently is the use of smartcards. I had to go to an office and get my picture taken and the entire surface of both hands printed when I got my PIV Card (basically a smartcard with some identity objects: http://csrc.nist.gov/groups/SNS/piv/standards.html).

One project that I’ve just started fooling around with involves airplane transponder transmissions. It turns out that with a software-defined radio USB dongle (<$30 on Amazon or <$10 on Ebay from Hong Kong) you can grab the transponder signals from planes (which (generally) have data elements such as ICAO code, altitude, speed,lat, long, etc.).

Recently I mentioned to an acquaintance that I was setting up a mail server so that I could move away from Gmail. He asked me if I was using Mail-in-a-Box. I had no idea what that was - I was going through some instructions from Ars that I had used previously.