Security

Posts tagged with Security.

How to verify my site signatures

23 Nov 2025

Update on the GPG Signing of My Website

I don’t remember exactly when I started, but for at least two years I’ve been signing the HTML pages on my website with GPG. I do this as a way to practice sovereignty, authenticity, and to promote tools that help protect privacy.

At first, I kept the GPG signature embedded directly in the HTML content, for example:

<!--
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -->
<!doctype html>
<html lang=en>
<head>
    <meta charset=utf-8>
    <meta http-equiv=X-UA-Compatible content="IE=edge">
    <meta name=viewport content="width=device-width,initial-scale=1">
    <meta property="og:title" content="What I’d Tell My 23-Year-Old Self">
    <meta property="og:description" content="If I could whisper to my 23-year-old self, I’d tell him this:

    Stop wasting time worrying about what people think.
    Pour your energy into building, into creating, into making something that’s yours.
    And never forget: everything is impermanent — every victory, every failure, every storm.

    That truth alone is enough to keep you moving forward.">
    <meta property="og:url" content="https://adlermedrado.com.br/missives/what-id-tell-my-23-year-old-self/">
    <meta property="og:site_name" content="Adler Medrado's corner of the web">
    <meta property="og:type" content="article">
    <meta property="og:image" content="/images/default-og-image.png">
    <meta name=twitter:card content="summary_large_image">
    <meta name=twitter:title content="What I’d Tell My 23-Year-Old Self">
    <meta name=twitter:description content="If I could whisper to my 23-year-old self, I’d tell him this:

    Stop wasting time worrying about what people think.
    Pour your energy into building, into creating, into making something that’s yours.
    And never forget: everything is impermanent — every victory, every failure, every storm.

    That truth alone is enough to keep you moving forward.">
    <meta name=twitter:image content="/images/default-og-image.png">
    <title>What I’d Tell My 23-Year-Old Self</title>
    <meta name=description content="If I could whisper to my 23-year-old self, I’d tell him this:

    Stop wasting time worrying about what people think.
    Pour your energy into building, into creating, into making something that’s yours.
    And never forget: everything is impermanent — every victory, every failure, every storm.

    That truth alone is enough to keep you moving forward.">
    <link rel=author href=/humans.txt>
    <link rel=icon type=image/png href=/images/favicon.png>
    <link rel=canonical href=https://adlermedrado.com.br/missives/what-id-tell-my-23-year-old-self/>
    <link href=/css/styles.css rel=stylesheet>
</head>
<body>
    <header class=glitch-zone>
        <nav class=navbar role=navigation aria-label="Main Navigation">
            <div class=navbar_left>
                <a href=/ class=h-card rel=me>
                    <strong>
                        Adler Medrado
                        <span class=cursor-blink>|</span>
                    </strong>
                </a>
            </div>
            <div class="navbar_right navbar_right_animated">
                <a href=/posts>posts</a>
                <a href=/missives>missives</a>
                <a href=/now>what am i doing now</a>
                <a href=/uses>what am i using</a>
            </div>
        </nav>
    </header>
    <main>
        <article class=missive>
            <h1 class="text-4xl font-bold mb-4">What I’d Tell My 23-Year-Old Self</h1>
            <p class="text-sm text-gray-500 mb-6">26 Sep 2025</p>
            <div class=prose>
                <p>If I could whisper to my 23-year-old self, I’d tell him this:</p>
                <ul>
                    <li>Stop wasting time worrying about what people think.</li>
                    <li>Pour your energy into building, into creating, into making something that’s yours.</li>
                    <li>And never forget: everything is impermanent — every victory, every failure, every storm.</li>
                </ul>
                <p>That truth alone is enough to keep you moving forward.</p>
            </div>
        </article>
        <div class=post-tags>
            <p>
                <strong>Tags:</strong>
                <a href=/tags/thoughts>thoughts</a>
            </p>
        </div>
    </main>
    <footer class=glitch-zone role=contentinfo>
        <div class=footer-content>
            <div class=copyright>
                <p>
                    <small>&copy; 1996-2025 Adler Medrado</small>
                </p>
            </div>
            <div class=gpg_signed_info>
                <p>
                    All pages on this website are PGP signed.
                    Import my 
                    <a href=/pub-key.asc aria-label="Download my PGP public key">public key</a>
                     and check with 
                    <em>curl https://adlermedrado.com.br/missives/what-id-tell-my-23-year-old-self/ | gpg --verify</em>
                </p>
                <p>
                    <em>Privacy policy: this website employs no tracking.</em>
                </p>
                <p>
                    <span class=badge-a-plus>
                        <a href="https://developer.mozilla.org/en-US/observatory/analyze?host=adlermedrado.com.br" aria-label="Mozilla Observatory Security Rating: A+">A+</a>
                    </span>
                    <span class=badge-description>Mozilla Observatory Security Rating</span>
                </p>
            </div>
        </div>
    </footer>
    <script>
    (function() {
        function c() {
            var b = a.contentDocument || a.contentWindow.document;
            if (b) {
                var d = b.createElement('script');
                d.innerHTML = "window.__CF$cv$params={r:'9a31943f6eaad8cb',t:'MTc2MzkxMDQ3Ng=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";
                b.getElementsByTagName('head')[0].appendChild(d)
            }
        }
        if (document.body) {
            var a = document.createElement('iframe');
            a.height = 1;
            a.width = 1;
            a.style.position = 'absolute';
            a.style.top = 0;
            a.style.left = 0;
            a.style.border = 'none';
            a.style.visibility = 'hidden';
            document.body.appendChild(a);
            if ('loading' !== document.readyState)
                c();
            else if (window.addEventListener)
                document.addEventListener('DOMContentLoaded', c);
            else {
                var e = document.onreadystatechange || function() {};
                document.onreadystatechange = function(b) {
                    e(b);
                    'loading' !== document.readyState && (document.onreadystatechange = e, c())
                }
            }
        }
    })();
    </script>
</body>
</html>
<!--
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEB9cP28xEbBnKQwLObV8aePHcNh0FAmjpMJEACgkQbV8aePHc
Nh114BAAlkjwHZgFP7b7xUr++nhvxslYyb4SEzpWOzWaf1pd1UnwK9g3dBgImdoq
hrBC0yUuGqyCu8ZflghIF2mEVex5uHBCB5SFeQyPqfLA9erFEAPoWQ3b6gcKNiKM
wHwPDNEbgNxjKfoxfHcL6qrzpBjm//EtzXBtgC0IV1HTXOv0CG2s2AiEtmFj2kHO
LlrlMnT0IiwfUfDpL1Va1/AAc3bLsAQJgQVNKkOueoE08OtvnJ2lsz7PhqsgREnF
eorexF2SsHRhueXtet892ICVJuWrZtdN401YhqhLWu8oL6ORrMuQv4ecHRPuk08k
lrZA5atOssG02ghKLd0ITC65R6rEe/Jk3u6oRXYinRKUHvtpFgSQcgVqzU0kbnFF
0a4v6uGkZN5fFTkQO7Ua0483Iv2B+w7B1soFUN034S8ASfOBZXxDdNpyq8vtfk2y
N2bYf5+u/HXn/lNqZsBrS1vY40HoogEch+oO4Im4nsar8znXw3HxiYUM0Th+oiTR
TTWa4NHITlvBOcnmH49mxHSc99vYu0/bSKm8qY8PiZiGXq+u+36X4/1W/A+oXACn
Ao9G0Ljt9bXN7/QGcrb8BYiC+1rgmcMOrGmx+dtbwzfJhkITn6QjykcKFRg+PEIO
Kkv3c6C17+Pz6LIPQe6I//V3LYSvUiMY8lGLuM/C/nvD5QPfMlQ=
=1D7N
-----END PGP SIGNATURE-----
-->

You know that feeling when something just doesn’t sit right? Yeah, having the GPG signature embedded inside my HTML files always bothered me a little. Sure, it was super convenient to validate everything with a simple command like curl https://adlermedrado.com.br/missives/what-id-tell-my-23-year-old-self/ | gpg --verify, but the idea of having the signature “glued” to the original file just felt wrong. It was like the file wasn’t really the original anymore, you know?

Security isn’t a feature. It’s a consequence

16 Aug 2025

People talk about security like it’s a product you install or a checkbox you tick off before launch. But that mindset is exactly why so many systems fail. Security isn’t a module. It’s not a team. It’s not something you slap on later. It’s a consequence — of how you think when you build.

Most software is a prototype that accidentally went live. Security gets added later. If it gets added at all. Usually after something breaks or someone screams.

Say Cheese: Catch Curious Eyes on Your Mac with a Snapshot

14 Jul 2025

Ever worried someone might peek at your MacBook when you’re not around?

Last Friday, I built a simple, effective, and open-source solution to deal with that — and I called it Say Cheese.

Here’s the idea: if someone opens your Mac’s lid without authenticating via Touch ID, a photo is instantly taken and sent to your iPhone through iMessage. You get a live snapshot of the intruder — no fuss.

Update: Email (.eml) Analysis with FraudTalon

28 Jun 2025

FraudTalon just took another important step.

I’m only able to work on FraudTalon a few hours per week, but I’m committed to making steady progress and sharing weekly updates.0

Starting today, you can upload .eml files directly through the interface, and the system will run a complete analysis using a combination of email security heuristics and artificial intelligence.

fraudtalon-banner

The pipeline now works like this:

  • Automatic .eml parsing with extraction of headers, sender, recipient, subject, and body
  • Heuristic evaluation with signals such as:
    • Mismatch between From, Reply-To, and Return-Path
    • Authentication failures (DKIM, SPF, DMARC)
    • Relaying through unknown servers
  • AI analysis (via OpenAI) that takes into account the full textual content
  • Final score with a breakdown of suspicious indicators

This update makes FraudTalon a much more powerful tool for analyzing suspicious emails like phishing, Pix scams, or fake investment offers.

Fighting online fraud with FraudTalon

20 Jun 2025

After getting so many messages from my parents, wife, sister, and friends asking if emails or ads they saw on social media were legit, I decided to build a tool to help identify fraud, scams, and phishing attempts.

That’s how FraudTalon was born.

It’s currently in MVP version 0.0.1 — basic functionality, simple heuristics (I started with NLP but dropped it — not needed for now), and a single cloud-based LLM. The goal at this stage is to validate the idea.

Building My Own Sovereign RAG for Secure Code Analysis

14 Jun 2025

Building My Own Sovereign RAG for Secure Code Analysis

Lately, I’ve been taking a closer look at some code analysis tools that claim to detect security vulnerabilities in software projects. The idea itself is solid. I got one of these tools recommended to me and decided to dig deeper to see what’s really behind these solutions.

Pretty quickly I noticed a pattern: these platforms are far from cheap. Some offer limited free plans, but we all know how this game works. When something that good is offered for “free”, the real price usually comes from somewhere else — data collection, vendor lock-in, black-box models processing your code in someone else’s cloud. And since I’ve been deeply studying AI lately, especially Retrieval-Augmented Generation (RAG), the question came naturally: why not build my own pipeline, fully local, sovereign, using open-source tools, running on my own machine, and depending on no one?

MDN Report A+

20 May 2025

MDN A+ badge

Ran my site through MDN’s security scanner and kept tweaking until I hit 120/100 (A+).

Checked the scan history and the very first one, back in 2018, scored 20/100 (F).

Always improving.

Real-time Deepfakes: what if "seeing is believing" no longer means anything?

10 May 2025

An open-source project called Deep-Live-Cam is gaining traction on GitHub — and for good reason.

With just a single still image, it can mimic anyone’s face in a live video call. In real-time. Running locally. No cloud required.

The implication is clear: you can no longer trust a video call at face value.

So here’s the question: how do we verify identity in a world where faces can be forged on demand?

Why You Should Start Using GPG Now

27 Apr 2025

Why You Should Start Using GPG Now

If you’re not using GPG to sign or encrypt your files and messages yet, it’s time to reconsider. It’s not just about looking like a 90s movie hacker — it’s about protecting your communication and digital identity in an increasingly hostile world.

🔐 What is GPG?

GPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard. It allows you to create cryptographic key pairs to digitally sign files and messages, as well as encrypt them to ensure confidentiality. It’s an essential tool for anyone serious about digital security.

Shadowdata Updates

13 Oct 2024

Yesterday, I published a blog post introducing my new open-source project, ShadowData.

This post is just to inform anyone interested that I have made some updates today.

New Features Added to the Project:

  • Email address anonymization
  • Phone number anonymization
  • Symmetric cryptography for encryption and decryption
  • Minor improvements to tests and code quality

You can look the code at the Github repository.

See you.

Shadowdata Sensitive Data Handler Python Library

12 Oct 2024

I am deeply concerned about how to handle sensitive data in the projects I work on. Nowadays, there are laws in various countries addressing this issue, and the topic becomes increasingly important as time goes on.

Therefore, I decided to create a Python library that can help me deal with scenarios where it is necessary to process data to prevent any individual from being identified if the information is accessed. The library also handles data transformations, encryption, and the detection of sensitive personal data.

Sudo with Touch ID on macOS

05 Jun 2024

Setting up sudo for use with Touch ID on macOS Sonoma in just a few steps is very easy.

Locate the file /etc/pam.d/sudo_local.template and make a copy as shown in the example below:

sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local

Then edit the file and remove the # character from the beginning of line 3, it should look like this:

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth sufficient pam_tid.so

Detailed Steps to Edit the File

To edit the file, use a text editor like nano or vim. For example, with nano: