Security & privacy related stuff

Securely wiping SSDs

By Atomstar on Sunday 29 December 2019 10:57 - Comments (14)
Categories: Linux, Security, Views: 4.200

Wiping data carriers can protect personal data when reselling these. Since SSDs have quite some error-handling and buffering logic, these are more difficult to wipe.

I document my best-known method here. TL;DR: as commenters pointed out, ideally use OS-level encryption, then throw away the key. Alternatively, built-in security erasing via hdparm, combined with shred.

Read more »

Tunnel Apple AirPlay/Bonjour across zones in OpenWRT Firewall

By Atomstar on Friday 20 September 2019 21:20 - Comments (2)
Categories: Linux, Security, Views: 3.599

I've separated my wifi on my OpenWRT (18.06.2) router (Netgear R7800) in a guest zone and a lan zone for security purposes (well not really, I did it because it was possible). One service I want to allow from guest -> lan zone is Airplay, which uses multicast traffic (Bonjour). It turns out to be very simple to forward Airplay somewhat difficult to diagnose or get this working. In the end I made the AppleTV part of two zones by connecting LAN to local zone and WLAN to guest zone.

Some required steps include (but are not sufficient):
  1. Install avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support as suggested by this post
  2. Forward ports from guest -> lan as listed by Apple
  3. Power cycle/reboot router, AppleTV, and clients (just to be sure)
  4. Profit! --> still doesn't seem to work stable
Unfortunately, I was not able to get this working with my Pioneer VSX-510 which supports AirPlay (v1) natively. Below I note some more details.

Read more »

DNS-based AdBlock on OpenWRT

By Atomstar on Saturday 23 February 2019 13:13 - Comments (4)
Category: Security, Views: 6.354

Router-based ad-blocking has advantages that all connected clients are protected. Also, it might speed up connections because filtering is done upstream (i.e. not on client but on the router). However this might be offset by relatively slow hardware of routers.

Read more »

On-demand iOS VPN using Configuration Profiles

By Atomstar on Saturday 23 February 2019 12:25 - Comments (2)
Category: Security, Views: 2.366

After setting up an IKEv2 VPN on my raspberry-pi, I wanted my iPhone to connect to it automatically and on-demand.

Read more »

Setting up an A+-grade nginx SSL server

By Atomstar on Sunday 27 January 2019 15:25 - Comments (7)
Categories: Linux, RaspberryPi, Security, Views: 4.798

Because I don't want to expose smarthome dashboards (like domoticz or grafana) directly to the internet, I've set up a separate server to publish data beyond my local network. For this I've chosen nginx using let's encrypt certificates renewed by certbot, enabling hsts and fixing the logjam vulnerability.

Read more »