Making the Internet Better (For Yourself)
- Install uBlock Origin in all of your web browsers
- Configure uBlock Origin in each of your web browsers
- enable Fanboy’s Social Blocking List
- add the following to “My filters”
- disqus.com
disquscdn.com
instagram.com
twitter.com
facebook.com
- disqus.com
- Enjoy a better internet
Recent Talks I’ve watched
Securing NTP Servers
Rarely am I using ntpd to serve ntp information. It is more useful for clock-correction than a strict ntp/sntp client. Thus I don’t want the service listening on a wildcard address, even when there is certainly a firewall in place. I prefer the service to not be listening at all, or listening only to the loopback interface. Here is how to configure that in ntpd and chrony.
ntpd
interface ignore wildcard
chrony
bindaddress 127.0.0.1
port 0
bindcmdaddress 127.0.0.1
cmdport 0
NTP Servers
There are many NTP server implementations now. Here are some:
- ntpd
- chrony
- ntpsec
- openntpd
- sntp clients
- systemd-timesyncd
- sntp
- also:
- ntimed – appears abandoned
Resources:
- Securing Network Time
- A security review of three NTP implementations
- concludes chrony is probably the best choice of ntpd, ntpsec, and chrony
- A rift in the NTP world
- Chrony: Comparison of NTP implementations
- NTPSec: Differences from NTP Classic
- NTPsec is not quite a full rewrite
I plan to give chrony a try.
More Facebook Awfulness
- Facebook Is Letting Job Advertisers Target Only Men
- Companies utilizing this feature: Uber, Boeing, T-Mobile
- Facebook Is Giving Advertisers Access to Your Shadow Contact Information
- ad-targeting using people’s phone numbers
- prior reporting from Kashmir Hill:
Firefox Monitor
I’m quite happy with my initial use of Firefox Monitor. I’ve recommended it to family, friend, co-workers. I recommend signing up for continuous monitoring. Anyone who has had a password compromise should consider that password and permutations there-of to be public knowledge.
For me the near constant data breaches we’ve seen in recent months is more evidence that strict regulation of retained personal information is necessary in the US and that it would be wise for more websites to consider whether storing passwords is even wise. I have argued that most websites should not be storing user passwords.
Blocking Countries By IP
This is not exactly the best strategy given that malicious actors probably have access to IP addresses from other countries. I was asked to research this and this is what I found.
- Major IP Addresses Blocks By Country
- Block Visitors by Country Using Firewall
- https://www.countryipblocks.net/country_selection.php
- 8 Ways to Block Visitors to Your Website by Country
The CPU I’d Like to Buy
- AMD Ryzen 5 PRO 2400GE Processor with Radeon™ Vega 11 Graphics
- Quad-Core, 3.2GHz, 35W TDP, ECC Support (allegedly)
Not only cannot I not buy that but I cannot buy:
- any AMD Ryzen PRO
- any AMD Ryzen GE
I’ve read speculation that they are going to OEMs. That’s fine I guess. I would like to build a new desktop sometime soon. The Ryzen 5 2400G is an option but it would be preferable to get what I actually want.
So Many Crypto Libraries
In general I’m in favor of people running with ideas of how to make a better software library or app. The more ideas that are manifest the more data people have to identify what works best. However, especially in the open source world, I sometimes feel like there is too much effort being spread around when it could be focused to greater effect. I’ve been feeling this way about crypto libraries for some time. Here are a few.
- SSL/TLS
- OpenSSL – C
- GnuTLS – FSF, C
- BoringSSL – Google, C
- LibreSSL – OpenBSD, C
- S2n – Amazon, C
- NSS – C
- Also
- Fizz – Facebook, C++14
- many others
- Crypto
- NaCl
- libsodium – API compatible with NaCL
- zinc – linux kernel
- Tink – Google
- Libgcrypt
- Also
- TweetNaCl – API compatible with NaCL but seemingly unmaintained
- underlock – Ruby
- many others
I understand that people feel this problem has not been solved well and that API’s and implementation goals and needs shift over time. Still, a common goal in software security is reducing the attack surface. It would be nice to see some coalescing in this space.
Update: Further Reading: