Skip to content

Instantly share code, notes, and snippets.

@mtigas
mtigas / signal_cli_mac.sh
Last active April 10, 2021 08:38
[macos] homebrew-installed signal w/v2 group support (fixes libzkgroup warning)
#!/usr/bin/env bash
set -e
set -x
brew install signal-cli || brew upgrade signal-cli
SIGNAL_LIBEXEC_LIBDIR="`brew --prefix signal-cli`/libexec/lib"
# zkgroup-java*.jar --- remove the linux x86_64 bundled lib
@mtigas
mtigas / onion-svc-v3-client-auth.sh
Last active September 20, 2024 18:35
experiments with using v3 onions with client auth (as of tor 0.3.5.X)
#!/bin/bash
# needs openssl 1.1+
# needs `basez` https://manpages.debian.org/testing/basez/base32hex.1.en.html
# (but something else that decodes the base64 and re-encodes the raw key bytes
# to base32 is probably fine too)
##### generate a key
openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
@mtigas
mtigas / 01.md
Last active January 6, 2018 00:40
some notes about meltdown & spectre patches

(originally from a tweet thread: https://twitter.com/mtigas/status/949337073495916544 )

updated january 5, 2018; 12:47 US Eastern Time

ok here's a rough list of links i have collected about patches for meltdown / spectre https://kb.cert.org/vuls/id/584653 , that i sort of compiled for my own reference but figure others might want. (info as of this morning, january 5. might have mistakes, use at own risk, etc)


MacOS High Sierra 10.13.2+, Sierra 2017-002 security update, and El Capitan 2017-005 security update mitigate meltdown:

@mtigas
mtigas / 0 ProPublica Tor hidden service config.md
Last active April 10, 2023 16:31
Configuration for ProPublica’s Tor hidden service proxy.

Note (December 16, 2021): These example files haven't been updated since 2016. In either 2019 or 2020, our onion domain was changed to a longer v3 onion address (p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion). The examples below don't reflect this, but the configuration portions remain accurate regarding how we currently serve the onion site. (Tor Browser dropped support for v2 addresses, such as propub3r6espa33w.onion, in the second half of 2021.)


These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

  • We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.
@mtigas
mtigas / 0-hidden-service-subdomains.md
Last active August 4, 2024 16:24
Example code for running a (HTTP/HTTPS) Tor hidden service supporting subdomains.

The following files show an example of how to create subdomains for onion site hidden services. (This hasn't been tested for hidden services for anything other than HTTP/HTTPS.)

(You might also want to read our blog post about ProPublica’s Tor hidden service, including a tutorial and notes on running a hidden service: https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services )

In general, this works (maybe just in recent Tor clients) because Tor will handle the connection to www.xxxxxxxxxxxxxxxx.onion as a connection to xxxxxxxxxxxxxxxx.onion. The encapsulated HTTP/HTTPS connection contains the subdomain in the Host: header (and in the case of HTTPS, the SNI

@mtigas
mtigas / gpg.conf
Last active September 24, 2024 14:40
hide your PGP version & other info
#~/.gnupg/gpg.conf
# Hide your PGP version & other PGP version metadata with these two config lines.
# This line hides the "Version: GnuPG vX.XX.XX" line
no-emit-version
# This line hides the "Comment: XXXXX" lines
no-comments
# NOTE if you are using Thunderbird+Enigmail you probably need to set this again in
# the Enigmail->Preference settings:
@mtigas
mtigas / gist:25d680ccea78ad7db37a
Last active August 29, 2015 14:11
Links to my slides & notes & maybe other stuff from the CryptoPartyNYC: Journalist Edition shindig, December 8, 2014.
@mtigas
mtigas / 1-tls
Last active March 5, 2016 18:06
Some PGP-signed verification for various ProPublica TLS & Tor hidden service identities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The following are the SSL certificate fingerprints for the
following propublica.org servers as of 2016-03-05.
CN or SAN: www.propublica.org
Note: this domain is now served via the Fastly CDN, relying on shared SSL
certificates. The www.propublica.org domain should be listed as a Subject
Alternative Name on the certificate served by the CDN endpoint.
@mtigas
mtigas / default.json
Created July 9, 2014 22:15
Examples of the three output formats for the Nonprofit Explorer API: default mode, "output=flat", and "output=noorg". See https://projects.propublica.org/nonprofits/api/
/* Example of "output=flat" format.
* https://projects.propublica.org/nonprofits/api/v1/search.json?q=propublica */
{
"total_results": 2,
"filings": [
{
"tax_prd": 201212,
"tax_prd_yr": 2012,
"formtype": 0,
"pdf_url": "https://bulk.resource.org/irs.gov/eo/2013_09_EO/14-2007220_990_201212.pdf",