GrapheneOS & Privacy

Intro This post explores the option of using GrapheneOS as an alternative to iOS and Android. The main motivator is the ongoing privacy debate that has gained even more traction as Apple announced their child sexual abuse material (CSAM) protection system. Hear what privacy advocate Matthew Green thinks about CSAM on CNBC. The question I want to answer in this post is: Is there a viable alternative to iOS and Android for me that values privacy? ...

September 5, 2021 · 9 min · 1708 words · patrick, p15r

Installing Ubuntu 20.04 on Thinkpad X1 Gen9

tl;dr Upgrade kernel to 5.13 & upgrade linux-firmware. Basically, everything works out of the box when installing a vanilla Ubuntu 20.04 (LTS) on the Lenovo Thinkpad X1 Gen9 🤘. However, the fan control is not optimal which leads to fan noise and slightly higher chipset temperatures. This issue can be addressed by upgrading the kernel and related firmware: Upgrade Bios to v1.44 (N32ET68W): use fwupdmgr or manually upgrade from Lenovo’s bootable ISO (n32ur09w.iso) Upgrade kernel to 5.13.0-1009-oem: apt install linux-image-oem-20.04c Upgrade chipset firmware Get firmware: git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git (master at 168452e at the time of testing) Copy new firmware: cp linux-firmware/* /lib/firmware/updates Update initramfs: update-initramfs -k all -u Reboot The CPU temperature should now drop from 50 to 40 degrees celcius (if little CPU usage) and enable support for both fans. ...

August 2, 2021 · 2 min · 226 words · patrick, p15r

Distributey

Recently, I have been working on a new evening/weekend project that I would like to share as it might be useful to others as well. tl;dr distributey acts as intermediary between a key consumer and a key service. It receives requests from the key consumer, fetches the key material from the key service and sends back JWE-wrapped (RFC7516) responses. Why does distributey (say “duh·stri·byoot·i”) exist? Particularly in enterprises, key material is often generated on-premises for compliance & security reasons. Traditionally, HSMs are often used to create and store said key material. However, using the cloud becomes increasingly popular which inevitably leads to the challenge that the on-prem key material must be made available to cloud encryption services. Typically, one of two approaches is used to distribute key material in such a situation: bring your own key (BYOK) or hold your own key (HYOK). BYOK means that the key service actively pushes key material to a key consumer (“the cloud”) while HYOK means that the key consumer can request key material from the key service. The rationale behind HYOK is that the key consumer holds the key material in a temporary cache that is flushed frequently. If a specific key is required, it is requested on-demand. Many popular key services do not support HYOK out of the box, which is where distributey comes into play. It can be installed “in front of” a key service, serving HYOK requests from key consumers by communicating with the key service on their behalf. ...

November 28, 2020 · 2 min · 347 words · patrick, p15r

AZ DevOps API Authentication using AAD as Authority

TL; DR: Use MSAL and OAuth ROPC with scope 499b84ac-1321-427f-aa17-267ca6975798/user_impersonation. Microsoft’s Graph API (MS Graph) [1] is a convenient way to access a vast amount of Azure data programmatically. Its use is straight forward and generally speaking painless. However, there are still many Azure services APIs that haven’t been integrated, such as the Azure DevOps API (AZ DevOps) [2]. The AZ DevOps API originates from the Team Foundation Server (TFS) which had its API designed long before MS Graph. Therefore, it might be a little confusing if working with these APIs of different concepts. This post helps to lay out the foundation for accessing the AZ DevOps API using OAuth 2.0 and a token provided by Azure Active Directory (AAD). ...

May 14, 2020 · 10 min · 2092 words · patrick, p15r

Proxifying an HTTP connection

Recently, I ran into the situation where I needed a piece of software, running inside a corporate network, to communicate with a backend service on the internet. The challenge was that, in order to reach the internet, the communication had to go through a forward proxy. However, the software did not have built-in proxy support. This post addresses some options to solve that problem, although not all of them in the same depth. ...

May 4, 2020 · 5 min · 1060 words · patrick, p15r