this post was submitted on 04 Jul 2024
3 points (80.0% liked)

Explorations in Networking and Computing

9 readers
1 users here now

A place for discussing the new developments in IT networking technologies that strive to enhance and assure privacy, security, and autonomy online, ensuring equitable and strong universal access to information.

You can share info about Confidential Computing software and hardware like Intel SGX enclaves, HSI, attestation, HEADS BIOS, and vendors like Nitrokey, Purism, Fairphone, Open Source Hardware, etc.

The Tor Project, Nym, mixmaster, Yggdrasil, Veilid, and other networking technologies can be discussed here. Questions could be answered by people versed in any of these networking projects.

Also, social media in such networking paradigms could be discussed and be of interest to the wider Mastodon community. You might think about how Amethyst with LND and LNC works, for example. Or have thoughts about developing a social media Veilid application. Facebook has an onion address. What about new networking technologies incorporated into the Fediverse?

founded 6 months ago
MODERATORS
 

Hardened Grub in Libreboot https://libreboot.org/docs/linux/grub_hardening.html

See Mate Kukri at upcoming Open Source Firmware Conference about TPM compromise.

https://libreboot.org/docs/install/spi.html Ready to get out your pi and external programmer? https://en.m.wikipedia.org/wiki/CryptoParty

top 4 comments
sorted by: hot top controversial new old
[–] lightscription 1 points 2 months ago* (last edited 2 months ago)

minicom UART for Pi

SPI connector SOIC8

[–] lightscription 1 points 2 months ago* (last edited 2 months ago)

RPi connects automatically (wpa supplicant) to SSID if you use their imager (not dd) but you need access to the router API to get the pi's IP (or nmap -sP ) and then a script automatically configures the ssh private-public key on first initialization which is default rsa but you can text box in a ssh-keygen ed25591 (521 bit 100+ rounds).

Beagle Bone or some other SBC may be preferable if you want to avoid wireless connections for sensitive firmware operations. Make sure your router is locked down tight because some asshole is supposed to hostile takeover your pi but there is no way for him to do so without an NSA because the ssh crypto curves are strong (no civilian breaks rsa 4096 let alone the newer quantum resistant ed25519).

~~No way to connect to rpi without peripherals because defaults need to be changed via terminal first for UART serial and WiFi ssh.~~ Editing bootfs and rootfs (unless you want to make time-consuming scripts) won't do it. This is probably by design since rpis ship with default Google DNS for telemetry and data mining. ~~Suggest changing resolv.conf~~ * so Google doesn't 8 all your pi before you get some.

*After ssh configuration, rpi uses DNS of router.

[–] lightscription 1 points 2 months ago* (last edited 2 months ago)

Plug rpi into power and it will connect automatically with the wpa-supplicant script made by the imager (/NetworkManager/systems connections/preconfigured -connection) and then run the following commands from your laptop connected to the same router.

ip addr

inet is ip of (you can even use a cell hotspot) if you want to use nmap

sudo bettercap (add wifi module to PCI if you are using Qubes)

net.probe on

endpoint.new is ip of pi detected as

Login successful!

Most IoT doesn't need full disk encryption because it is protected physically and what is most important is the private-public key security of ssh for remote login. Rasbian has SELinux enabled and is as secure when connected to networking as most servers with not much additional hardening required (especially if you are flashing firmware and not running an infinite uptime you have to protect from attacks).

https://en.m.wikipedia.org/wiki/Identicon

this cryptography is immune to timing attacks https://en.m.wikipedia.org/wiki/Curve25519

With Raspbian OS on this sbc, you can't just use dd because of how the OS defaults are set which prevent any interfacing with the pi except via ssh wirelessly (maybe eth0 other models). The openssh scripts are made by Canonical but generated locally (usr/lib/openssh FIRSTUSER) which also means you can't just configure ssh/sshd.conf. But you can copy a self-generated ssh public key to the imager settings (their default is rsa but your own ed25519 will also work).

I recommended configuring your router resolve DNS to cloudflare (with malware filter) or something besides Google8 and also editing the sources list and raspi list to add the S to http.

Then, after you have sshed in, you can update, git clone lbmk, and change the raspi-config to enable UART. After that, you can proceed hardwired with minicom and rfkill all wireless for extra security.

libreboot lbmk acquired successfully!

[–] lightscription 1 points 2 months ago* (last edited 2 months ago)

[note: WP and Hold resistors not required for In-System Programming]