Hands Off Our Passports: Stop Attacking Transgender Americans

Nougat@fedia.io · 1 day ago

Hands Off Our Passports: Stop Attacking Transgender Americans

j4k3@lemmy.world · edit-2 1 day ago

Beware: this link is running a couple of piggybacking extras that are not part of the actual server page in question. I run a whitelist firewall so I see all traffic in logs.

Edit: Tell me what to say pls. I want to be effective.

Nougat@fedia.io · 1 day ago

The page links to source articles, and I believe it might preload from those?

j4k3@lemmy.world · 1 day ago

I only clicked the one link to regulations.gov. It took too long to load so I pulled the log to to see why it was not loading. About a minute later the page finally loads despite these other two being blocked. The ad label is because I still have adblock running even with my whitelist. So that link is known to one of the adblock source archives. The aws link could be anything, but it means data is filtering across Amazon servers and is therefore fingerprinted and tracked by Bezos.

Nougat@fedia.io · 1 day ago

Good luck avoiding AWS on the internet. Best just turn it off.

j4k3@lemmy.world · 1 day ago

I block it and Google static, fonts, captcha, everything. If anyone relies on JavaScript, that is the only thing that is either annoying or nonfunctional. I will never enable any site that is generalized and nonspecific. Very little of the total internet actually breaks from blocking all of this nonsense, stalkerware, and ambiguity. I have multiple reasons for blocking like this. Primarily, my bad scripts and code cannot escape to nmap the internet, and I will never have a sketchy download of a PDF datasheet for vintage hardware dial out again. Your firewall is like the front door of your digital home. You can live with none if you choose. I like to know who is in my house.

galaxia@lemmy.zip · 20 hours ago

How does one start implementing this kind of privacy and blocking? I have adblock, but that’s like the extent of my knowledge.

j4k3@lemmy.world · 15 hours ago

There are several ways. Whitelists are a PITA, especially for the fediverse. One could argue it is even more valuable on the fediverse as every computer you connect to implies some degree of trust.

The cheapest method is to setup the firewall on your local machine. The issue is that several applications are capable of bypassing this type of local implementation unless you get really into the weeds and use stuff like SELinux to restrict file permissions based on the file access context in addition to PAM user/groups. Fedora is the only desktop distro I know of that ships with SELinux integrated and running, but it is set to fully permissive by default so it is not actually doing anything unless you setup all of the access contexts.

If you are ever interested in this rabbit hole and struggling to wrap your head around the complexity, grab an old phone that is compatible with Lineage OS, install, but do not add a root binary. Then start playing around with the underlying Linux system using the USB ADB bridge. Try figuring out the proprietary modules for the SOC because it is fun. Also try making a script, and try adding or changing any files while you are there. Even if you know bash/GNU Linux the busybox like implementation of the minimum Unix like commands is an interesting experience if you have not tried it. If you’re used to commands like compgen, you’ll quickly see you need your own script to replace it or an aliased command to parse the path locations just to see all available commands. You will quickly begin to see how a fully configured SELinux implementation works with user/group permissions if you try to make any kind of persistent script in this Linux implementation. This is how any why Android is secured enough for idiot users to connect all kinds of high risk stuff like financials, that Linux system is very locked down unless you know and understand a CVE related to the specific orphan kernel.

The thing that sucks is that this area is generally a difficult thing to wrap your head around. I have not found a single FOSS source that makes a whitelist firewall easy. There are a couple of options in the OpenWRT add-on packages, but these are very limited and still not easy to deal with. The last one I tried only allowed like 500 entries and it was slow to parse the list, and buggy to edit.

The better option is to run a firewall on the router because your devices can’t effectively bypass it in stuff like docker or podman.

For me, I like pcWRT. It is an Asian guy in Texas selling routers already configured with OpenWRT and his own replacement front end that makes pretty much all advanced OpenWRT features easy. He also automatically updates and maintains the device. It seemed sketchy to me at first but it has actually worked out well for me. You need to keep occasional backups though, especially with a whitelist as major updates have wiped my setup a couple of times.

I also modify all of my routers with a CH340 or FT232 USB to UART chip module with a little hole for access from the outside and module hot glued in place. This gives bootloader level access to the chip and kernel logs. Most of what pcWRT is running is done in scripts that can be audited via this connection. There is one binary file, but skimming it in Vi, I did not see any web address strings, but there are strings present. So it is not encrypted. I certainly could have missed something, though I did compare the same router file system running the same version of OpenWRT side by side to compare them.

The only nuance in terms of a firewall in pcWRT is to create multiple profiles and make the default profile block everything. With pcWRT, you only need to enable the whitelist and add each address with the port number you want to connect to. The interface has full PiHole like functionality which might be another option. Also the hardware is reasonably priced at like $100-$150 last time I checked.