March 31, 2024
A while ago, I posted about using SSH to proxy traffic within a Nebula network context.
In the last few months, I changed my implementation because SSH required some steps and accesses that I was not fully happy with.
In the previous iteration, I was using SSH as a SOCKS proxy.
The problem, though, is that I need to set up the connection every time and use my SSH credentials, so it becomes difficult to have it always on.
A different SOCKS proxy software needs to be used to achieve the same result without SSH.
Read More 
March 29, 2024
For many years, VPN companies have advertised their VPNs as a necessary tool for all people who want to preserve their privacy.
For the same amount of time, I tried to explain to the people that this view made no sense if not for those company’s sales.
As an example, Onavo, a Meta subsidiary, used to advertise its services, highlighting that, among other advantages, using their product “protects your personal info”.
This claim would not be a problem by itself, but it becomes one when a court finds out that this is not actually true and that new courts documents seem to indicate that the behavior was worst than initially thought.
Read More 
March 19, 2024 - Krakow, PL
Read More March 15, 2024 - Bologna, IT
Read More February 6, 2024 - Gent, BE
Read More 
December 31, 2023
Since the merge of Quadlet in Podman, I’ve been moving multiple services to Podman Systemd services.
I find them to be easy to create, manage, and automate.
I recently migrated a complex system to Podman Systemd, where multiple processes write in a folder, and one process reads the folder’s content.
Before the migration, everything worked properly since all the processes were running natively on the machine with the same user.
After the migration, there were some permissions issues.
This issue allowed me to dive a little more deeply into the whole implementation of SELinux for containers and realize a few interesting things.
Read More 
September 18, 2023
One of the aspects that I have always loved about Ansible is that it integrates very nicely with the rest of the system where it is running.
For example, you can easily configure all the SSH configurations directly by changing the ~/.ssh/config file.
I’ve seen multiple cases where the SSH configuration file needs to be tweaked.
A case that comes up occasionally is an environment configured in a way that requires Ansible to use a different SSH key for each machine it manages.
I’m aware that this is not an ideal setup since it is not increasing the security as much as the person who came up with such a rule was expecting.
Still, it is a requirement that some companies have for various historical reasons and, usually, it is impossible or impractical to challenge.
However, the same process applies to any other SSH connection tweaking that can be performed in the SSH configuration file, such as proxies, ciphers, host checks, etc.
Read More 
February 24, 2023
A few weeks ago, I was doing a security check on one of my machines to ensure that everything was secure when I noticed that there were some ports open that I was surprised to find out.
The way I discovered those ports was by checking some ports with netcat (nc -zv IP_ADDRESS PORT).
I was expecting those ports to be closed, and I got surprised when netcat claimed to be able to connect to them.
Read More 
December 21, 2022
Back in April, I announced the availability of gopass in the Fedora repositories.
In the last few months, though, gopass had multiple releases, many of which arrived in Fedora 38 but not Fedora 37.
Since Fedora 38 will be released in a few months, most users are not using it, and therefore those releases are not directly benefitting those users.
The reason for the delayed update for Fedora 37 is that the dependencies of gopass changed in the course of those updates, and the Fedora process makes updating packages with many dependencies changes more painful than it could be.
Read More 
November 29, 2022
As discusse in a previous post, I use nebula to create a VPN connection between the various machines I use.
Usually what I really care about this setup is the ability of consuming services those machine expose on my nebula network.
When I travel, I prefer to proxy my data through my nebula network.
This allows me to not have to care about the limitations imposed in those networks, as long as I’m able to open my tunnel.
The second advantage I have, is that I can choose the location where my traffic leaves my VPN, since I have multiple machines in multiple nations.
Another advantage is that I can be sure that no data is visibile by the network manager, even if this is becoming less and less relevant, since the majority of the traffic is encrypted nowadays.
Read More 
(Fabio Alessandro Locati|Fale)'s blog