802.1X on OpenBSD

I have been using OpenBSD on a daily basis recently, and I have found it possible do do almost everything that I need to in a smooth and well-documented environment, but there are a few quirks that can be difficult to figure out. One such example is that many educational institutions and other large organizations tend to use WPA enterpise / WPA-802.1X mode for authentication to their wireless networks. This is not supported by OpenBSD base (yet? Read more...

SSH, the home network is torifying

I like to be able to access my home network remotely. My connection to the Internet is actually a rebroadcasting of various local WiFi networks, which presents a challenge for remote ssh access, since the IP address is dynamically assigned and changes often. My home network is served by a wireless AP that acts as a router, handing out local IP addresses via DHCP. Also, I like to be able to access the web interface for the upstream wireless access point and change networks remotely, while having the option of using a different internet connection on my laptop. Read more...

Barbra's Pi-Hole

Recently, I have taken to using a VPN for the majority of web-browsing. This helps to prevent common ISP nonsense such as DNS hijacking as well as providing some convenient security on untrusted networks, such as public WiFi. There are a variety of Free Software VPN tools out there, such as OpenVPN, {strong,libre,Open}swan, shadowsocks, and others. Additionally, if you are primarily a Linux user, than you can use the best VPN ever, WireGuard, created by Jason Donenfeld. Read more...

HSTS and http headers redux

This site is now included in in the HSTS preload list, and will not be served over an unsecure connection. In an effort to continually employ best security practices, I have successfully removed the unsafe-inline from the site’s Content Security Policy. I did this by changing way I am using Hugo’s syntax highlighting in the config.toml file. By enabling pygmentsUseClasses, I was able to use CSS to style code blocks as opposed to having the styles in a bunch of ugly <span></span> tags generated by pygments. Read more...

HSTS and http security headers

As I endeavor to learn more about (web)security, I decided to harden this site to serve content only via TLS as well as to include it in the HSTS preload list. By submitting it for inclusion in the list, the domain name bghost.xyz will be hard-coded into Chromium and its proprietary descendant Google Chrome as well as Mozilla Firefox. This is an implementation of IETF rfc6797, HTTP Strict Transport Security (HSTS). Read more...

LibreSSL on funtoo

Recently, I decided to switch to LibreSSL from the default of OpenSSL on my funtoo installation. For the most part everything works. Following the gentoo documentation on the subject, I now have a funtoo system which has everything compiled against LibreSSL. Here is what I did to get things running. This is modified from the instructions at the above link. root# echo 'USE="${USE} libressl"' >> /etc/portage/make.conf We need to get the files to build LibreSSL before we uninstall OpenSSL: Read more...

funtoo kernel upgrade

While I love many of funtoo’s attempts to streamline the install and upgrade process, I still choose to manage my kernel manually. I have been partial to gentoo-sources. Since I am currently using systemd-boot, when I want to boot to a newer kernel, I just change the relevant kernel and initramfs lines in /boot/loader/entries/funtoo.conf However, that doesn’t mean a little automation can’t help. Here’s a trivial script I wrote that accepts user input to decide whether or not to clean the build dir before building the new kernel. Read more...

Streaming 'Democracy Now!'

Democracy Now! is a daily, independently-syndicated, hour-long news program hosted by Amy Goodman. It is one of the better sources of global news, and I like to watch it regularly. However, I don’t like having to load a webrowser just to watch the news, and I also don’t feel a need to subscribe to a podcast/ download a bunch of .mp4 video just to delete it after watching. So, in the interest of learning new things and some newsflow automation, I wrote a little bash script to parse the url for the latest archived episode of the program, based on the time since a previous episode has occurred. Read more...

configuring i3

I use i3 as my window manager. It is a simple and fast, has sane defaults, and is actively developed. My workflow is typically a mix between using the terminal, specifically rxvt-unicode and a browser (or two). I almost exclusively use the keyboard when not doing a specialized task, such as image editing, so I tend to use chromium with vimium, as it facilitates the use of keyboard hints and fits a vim paradigm, regarding navigation. Read more...

kvm nat over host wireless

After using virtualbox as my only virtualization for quite some time, I have decided to try out QEMU/KVM. So far, I find this approach to be a better solution for my personal virtualization needs (a couple of BSD/Linux guest machines running on a Linux host), but because of the elusive and fragmented nature of documentation for the project, especially in regards to the available networking options and their various benefits and limitations, I have decided to write up some of my experiences in hopes that they will be useful to others. Read more...