Security & privacy related stuff
Securely wiping SSDs
Wiping data carriers can protect personal data when reselling these. Since SSDs have quite some error-handling and buffering logic, these are more difficult to wipe.
I document my best-known method here. TL;DR: as commenters pointed out, ideally use OS-level encryption, then throw away the key. Alternatively, built-in security erasing via hdparm, combined with shred.
Read more »
I document my best-known method here. TL;DR: as commenters pointed out, ideally use OS-level encryption, then throw away the key. Alternatively, built-in security erasing via hdparm, combined with shred.
Read more »
Tunnel Apple AirPlay/Bonjour across zones in OpenWRT Firewall
I've separated my wifi on my OpenWRT (18.06.2) router (Netgear R7800) in a guest zone and a lan zone for security purposes (well not really, I did it because it was possible). One service I want to allow from guest -> lan zone is Airplay, which uses multicast traffic (Bonjour). It turns out to be very simple to forward Airplay somewhat difficult to diagnose or get this working. In the end I made the AppleTV part of two zones by connecting LAN to local zone and WLAN to guest zone.
Some required steps include (but are not sufficient):
Read more »
Some required steps include (but are not sufficient):
- Install avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support as suggested by this post
- Forward ports from guest -> lan as listed by Apple
- Power cycle/reboot router, AppleTV, and clients (just to be sure)
- Profit! --> still doesn't seem to work stable
Read more »
DNS-based AdBlock on OpenWRT
Router-based ad-blocking has advantages that all connected clients are protected. Also, it might speed up connections because filtering is done upstream (i.e. not on client but on the router). However this might be offset by relatively slow hardware of routers.
Read more »
Read more »
On-demand iOS VPN using Configuration Profiles
After setting up an IKEv2 VPN on my raspberry-pi, I wanted my iPhone to connect to it automatically and on-demand.
Read more »
Read more »
Setting up an A+-grade nginx SSL server
Because I don't want to expose smarthome dashboards (like domoticz or grafana) directly to the internet, I've set up a separate server to publish data beyond my local network. For this I've chosen nginx using let's encrypt certificates renewed by certbot, enabling hsts and fixing the logjam vulnerability.
Read more »
Read more »