Good writup. One thing I would add for bastions if you wanted to harden them would be to disable session multiplexing if you are using MFA/2FA.
MaxSessions 1
The default is 10. The plus side of multiplexing is that subsequent connections using the same ssh connection channels are not validated against the authorization mechanisms such as login or 2FA. This reduces friction and speeds up the login process because login is not actually occurring. The trade-off of multiplexing is that all subsequent logins using that ssh connection are not logged nor are they validated with MFA. This means a person phishing your team members can easily hijack their connections without needing a password or 2FA and there are no lastlog entries. SSH Session multiplexing combined with passwordless sudo makes taking over a company trivial even if they have 2FA and strong passwords.
Another risk with a bastion model is port forwarding. As an organization you have to decide what is appropriate for that bastion. Unrestricted forwarding? Restricted? Denied?
AllowAgentForwarding no
AllowTcpForwarding yes
PermitOpen 192.168.1.2:22
If this bastion is for a PCI environment then one may want tighter restrictions. If it is for a development environment then maybe less restrictions and just better auditing on each host to enable forensic remediation.
If your bastion is also used for automation to drop files into a staging area, you can limit that automation to file transfers and even limit what it may do with files. This prevents the automation from having a shell or performing port forwarding.
The keys should be outside of the home directories to prevent malicious tools from appending additional authorized_keys into the account. Make use of automation to manage key trusts and add a comment to keys to map them to an internal tracking system like Jira. This assumes your MFA/2FA is excluding specific accounts or groups via PAM and permitting the use of ssh keys with specific groups or accounts.
AuthorizedKeysFile /etc/ssh/keys/%u
Match Group sftpusers
Banner /etc/ssh/banner_sftp.txt
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
GatewayPorts no
ChrootDirectory /data/sftphome/%u
ForceCommand internal-sftp -l DEBUG1 -f AUTHPRIV -P symlink,hardlink,fsync,rmdir,remove,rename,posix-rename
AllowTcpForwarding no
AllowAgentForwarding no
-P sets limits on what may not be done in sftp. -p does the inverse and limits what may be done. [1] -l DEBUG1 or VERBOSE will give you syslog entries of what commands were executed on the files. This is useful for audits. Some redundant settings above are also useful to set explicitly for audits.
Another thing mentioned in the article is iptables. In a PCI environment one may want to also have explicit outbound rules using the owner module to limit what users or groups are permitted to ssh out. So if your organization have a group of people allowed to use this host as a bastions, then one could write a rule like
Or specify what CIDR blocks, ports, protocols may be used. You can use REJECT rules after this rule to make it obvious a connection was not allowed so that people do not spend hours debugging. This module is also handy for limiting which daemons may speak to your infrastructure. How strict or liberal the rule is entirely at the needs of your organization.
Lastly I would add that bastions should have as minimal an OS install possible and have SELinux enforcing. Actions denied by SELinux should go to a security operations center after you spend some time tuning out the noise and false positives.
I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.
Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.
Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.
The "graphene" probably does add some modest mechanical and perhaps thermal properties to the foam of the shoe. There are plenty of papers and I'd suggest that you search Google Scholar and Google Patents for 'graphene rubber composites'; you'll be overwhelmed with examples.
However when discussing "graphene" it's helpful to differentiate between different types of two dimensional carbon lattices based on size and mode of manufacture.[0] There are two broad categories when we're talking about manufacturing applications at present:
The graphene in those runners is probably an exfoliated graphene micro/nanoplatelets made form graphite microparticles (previously an in-demand commodity for Li-ion battery anodes). The process used, given the industrial scale required, is most likely a chemical oxidation/reduction process (kind of messy), electrochemical means, or intercalation. The end result is more like confetti or the bits of paper left over from the hole-punch. This isn't your high-quality, electronic grade graphene, however most of the mechanical, thermal, optical, and electrical properties of graphene remain, and this graphene confetti can be blended into composites for the sake of those mechanical properties or to provide thermal or electrical conductivity.
Any company can blend a bit of graphene into their rubber or plastic and have the product given that sciency sheen. But you really want that graphene to be firmly embedded, since there are potential safety issues _in vivo_ [1]; Health Canada issued a recall alert for graphene-containing face masks in April, due to the possible risk of inhalation. [2]
The electronic grade graphene is generally larger in those two dimensions and presenting fewer defects — a full sheet of paper compared to the confetti type. For early experimentalists, the best source was also through exfoliation, albeit using Scotch tape to peel layers off of a large (1 cm or more in lateral dimensions) single crystal of graphite. Nowadays, epitaxial growth (i.e. grow one crystal using a different crystal as the template) is preferred, as it can be mass-produced, even using roll-to-roll techniques. That graphene can also be more readily transferred from one substrate to another, which is necessary since you are going to want your sheet of graphene laying on an insulating surface, rather than the metal on which it was epitaxially grown.
There are several other flavours of "graphene" — nanoribbon, oxide, fluorinated, multilayer, ligated, crumpled, charged, patterned, etc... But the two most consequential categories to keep in mind are whether you are dealing with "confetti" or "sheets". The nanoplatelet confetti can get inside you if not thoroughly immobilised.
No one sane would ever want their relatives, friends, work colleagues, and neighbors to be able to know (quoting from the OP):
> who you sleep with because both you and the person you share your bed with keep your phones nearby
> whether you sleep soundly at night or whether your troubles are keeping you up
> whether you pick up your phone in the middle of the night and search for things like "loan repayment"
> your IQ based on the pages you "like" on Facebook and the friends you have
> your restaurant visits and shopping habits
> how fast you drive, even if you don't have a smart car, because your phone contains an accelerometer
> your life expectancy based on how fast you walk, as measured by your phone
> whether you suffer from depression by how you slide your finger across your phone’s screen
> if your spouse is considering leaving you because she's been searching online for a divorce lawyer
No one sane is OK with corporations, governments, and other third parties being able to obtain and save this information either -- especially if their only hurdle is to get you to click "OK" to agree to some legal agreement almost no one has the time to read or expertise to understand in its full implications.
We need a New Declaration of Human Rights for the 21st century that takes into account rapidly advancing technologies for collecting and acting on data at mass scale.
My favourite monospaced font is Triplicate <https://practicaltypography.com/triplicate.html>: the only true serif monospace that I know of (though I have a vague feeling I found one other at some point). Every other serif monospace I know of is a slab serif. Triplicate’s variable stroke thickness is also exceedingly rare in monospaced fonts; almost everyone goes for uniform stroke thickness, as is customary with sans-serif fonts but anathema for true serif fonts (though slab serifs could be either). Variable stroke thickness can be a bit iffy on low-resolution displays, but so long as you keep the size up or use a high-resolution display, I find it very pleasant. I’ve been using Triplicate everywhere for the last few years, including on my website.
(Also note on that page, since people are talking about ligatures a lot in this thread: “No, there are no programming ligatures in Triplicate, and there never will be.” with a link to https://practicaltypography.com/ligatures-in-programming-fon..., which can be distilled to the quote “ligatures in programming fonts are a terrible idea”. I agree.)
Pragmata Pro and Operator are two other well-regarded and popular commercial monospaced fonts that are missing from this list.
Here in Germany, Toradex ARM SoMs are quite popular for industrial applications. The hardware is reliable and the software for it (Windows whatever CE is called now and Linux BSPs for Yocto) is pretty good on release and well maintained for many years afterwards. The modules are not exactly cheap for the performance but also not super expensive, generally in the 50-150€ range.
Yes, usually they use ADCs to read the voltage in between each cell in the series. If individual cells have higher voltage than other cells, a resistor for that cell is switched on to burn off excess charge.
More advanced controllers can use flyback transformers to move charge from one cell to another. This is vastly more expensive than just using a resistor, though, so it's only used in applications where energy conservation is key, like solar projects or where heat is a constraint. The LTC3300 is a good example: https://www.analog.com/en/products/ltc3300-1.html#
Here is a technique that is used to uncover hidden services:
1. purchase VPS products at a bunch of providers who accept bitcoin / crypto
2. ddos your target
3. see if you notice any of your hosted boxes go down
4. once you know the provider pop them (they're usually running some shitty WHMCS or similar homebrew solution, old Cpanel, etc. etc. and they're almost always resellers and amateurs) and move laterally to your target
When the feds do it against online drug markets (and they have been for years) they have the bonus of having decent network insight / view by working with backbone providers
Cost and ease of development by not throwing thousand of options in front of your screen.
Last time, I checked GCP costed me $26 (+ hidden charges) for the same I could get on many other places for $7. Some of them provide instant customer support too and are better because it's not an outsourced customer center in India or other places.
Another risk with a bastion model is port forwarding. As an organization you have to decide what is appropriate for that bastion. Unrestricted forwarding? Restricted? Denied?
If this bastion is for a PCI environment then one may want tighter restrictions. If it is for a development environment then maybe less restrictions and just better auditing on each host to enable forensic remediation.If your bastion is also used for automation to drop files into a staging area, you can limit that automation to file transfers and even limit what it may do with files. This prevents the automation from having a shell or performing port forwarding.
The keys should be outside of the home directories to prevent malicious tools from appending additional authorized_keys into the account. Make use of automation to manage key trusts and add a comment to keys to map them to an internal tracking system like Jira. This assumes your MFA/2FA is excluding specific accounts or groups via PAM and permitting the use of ssh keys with specific groups or accounts.
-P sets limits on what may not be done in sftp. -p does the inverse and limits what may be done. [1] -l DEBUG1 or VERBOSE will give you syslog entries of what commands were executed on the files. This is useful for audits. Some redundant settings above are also useful to set explicitly for audits.Another thing mentioned in the article is iptables. In a PCI environment one may want to also have explicit outbound rules using the owner module to limit what users or groups are permitted to ssh out. So if your organization have a group of people allowed to use this host as a bastions, then one could write a rule like
Or specify what CIDR blocks, ports, protocols may be used. You can use REJECT rules after this rule to make it obvious a connection was not allowed so that people do not spend hours debugging. This module is also handy for limiting which daemons may speak to your infrastructure. How strict or liberal the rule is entirely at the needs of your organization.Lastly I would add that bastions should have as minimal an OS install possible and have SELinux enforcing. Actions denied by SELinux should go to a security operations center after you spend some time tuning out the noise and false positives.
[1] - https://man7.org/linux/man-pages/man8/sftp-server.8.html