JustEnoughDucks

Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as “it doesn’t exist” rather than an obsticle to try exploits on. Not sure if that is true though.

For me:

• ssh server only with keys

• absolutely no ssh forwarding, only available to local network via firewall rules

• docker socket proxy for everything that needs socket access

• drop non-used ports, limit IPs for local-only services (e.g. paperless)

• crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)

• Authelia over everything that doesn’t break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)

• proper umask rules on all docker directories (or as much as possible)

• main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical

• full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren’t in memory (makes a startup script with a password needed, so no automated startups for me)

For more info, I followed a lot of stuff on: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

HealthyPi will be a too option too. Much more fitness focused than pinetime or banglejs

I have been happy with PrivateVPN, but I can’t get a read on them.

They say no-log, but many VPNs probably lie about that. Small, based in Sweden.

I just saw on the kumo app literally just now that they got bought out by Miss Group and are no longer independent like when I started with them in 2019.

They have no strikes against them besides the not-disclosed buyout. No idea if I should switch, but they have good prices and port forwarding.

Our fucking corporate HP printer requires every single employee to make a separate fucking HP account in order to scan anything on the stupid piece of shit.

Not to mention in CONSTANTLY freezes and crashes.

We are replacing it. Fuck HP.

They are a massive megacorp though. It always leaves me to wonder “how much”.

Tons of capitalist companies do stock options where “technically” the employees own a share of the company, though that percentage is usually extremely small, even collectively such that they have no decision power. I can’t help but think that it is similar with huawei, but with better marketing.

That is very fair!!

But on the other hand, 99.9% of users don’t read all of the change notes for their packages and don’t have notifications for CVEs. In that case, in my opinion just doing updates as they come would be easier and safer.

Doesn’t ucore also have to restart to apply updates?

Not super ideal for a server as far as maintenance and uptime to have unexpected, frequent restarts as opposed to in-place updates, unless one’s startup is completely automated and drives are on-device keyfile decrypted, but that probably fits some threat models for security.

The desktop versions are great!

Well, I didn’t think anyone would be dumb enough to do that, but you might be right…

I am also very low. I just pretty much let someone else take credit for it so that it would actually be taken to management.

I got my company to start using bitwarden. That was a huge step and 1/4 of the company forgot their password in the first 60 days. I sent a big email detailing how to make a mnemonic device with a passphrase that bitwarden generates 😂 complete with photoshop drawings on one i generated. no forgotten passwords since

It simply is too buggy and crashes too often for complex assemblies and professional work. Especially if the rest of your company uses SolidWorks or similar where FreeCAD can’t export to the format

When time isn’t money, it’s fine and is only sometimes frustrating nowadays.

Then the question is: what is being smart or dumb? If acting dumb in 90% of life while having the capability of being smart isn’t “being dumb” then what is?

If someone who has the capability of being 50/100 intelligent and is always acting 50/100, I would argue they are smarter than someone capable of 80/100 intelligence but acts 20/100 intelligence for 90% of their life.

I also use ubiquiti. It is the apple of WiFi systems, for better or worse.

I have yet to be able to find if they are privacy respecting or not. I am leaning more towards no since everything is by default through their cloud (my brand new UCG-ultra wouldn’t even let me set it up locally, it would break when trying to set it up locally via the app and DNS & IPs would be messed up so I couldn’t even contact it to fix it, I had to hard reset it and do it via their cloud)

Multiple, though yt-dlg hasn’t been updated for years.

You absolutely can fail. I daily drive bazzite but many things have been pretty rough:

Any coding apps that will use an external device -> you can’t use flatpak. You have to use distrobox that constantly freezes your entire mouse for 3-5 seconds upon any sort of dialog, settings, saving, anything where it has to access the filesystem. Then you have to add udev rules to directories that in the documentation says not to write to, and reloading the rules doesn’t work for testing, you have to fully restart with every minor change or it will seem like the change didn’t work.

Luckily most device drivers seem to work in the provided arch distrobox but holy dependency hell. Things will fail to install because they need a package that exists on the host but not the container so you get an unsolvable “file exists” conflict. When installing a package, it will sometimes just try to grab an old version of a dependency specifically that will 404 out instead of just grabbing the most recent version (never happened on arch itself to me)

Setting up a plasma vault with gocryptfs was not fun figuring out how. Also ran into tons of dependency problems and the fact that fedora just abandoned it specifically. Ended up just having to stick the binary in a random folder and point to it.

Any sort of document authentication/signing -> doesn’t work and will not work in the future for a long time.

You absolutely have to install rpms still for corectrl, any external devices, like drawing tablets, etc…

Some games inexplicably use <50% GPU and <40% CPU with terrible framerates and will not go any higher (or lower) no matter what, switching between low and high settings and resolution results in 0fps change.

When I have my config set and don’t have to change anything, it is super super nice to never have to manually update, but anything outside of very basic usage is weaving through nonstandard undocumented territory.

Bazzite trades maintenance headaches for configuration and installation headaches. For me, that is worth it.

And then I get down voted for laughing when people say that they use AI for “general research” 🙄🙄🙄

Yeah, they have a spotify connect plugin that works, but chromecast probably will not be supporter because google holds all of the cast keys and esphome/music assistant/ home assistant would have to register with them (and probably play the fees) i think

It’s done for smaller parts with peltiers nowadays. Not that efficient, but there are few options. If you sink it to a large enough surface, it will radiate away.

To be fair though. The experience of google and Microsoft online word/spreadsheets/etc… also sucks ass on a smartphone. Much better, sure, but doing spreadsheets or writing a paper on a phone is a bad experience in general.

But how does this change using VPNs with torrenting? Especially because it seems like the vast majority don’t support ipv6 as well as openvpn often leaking ipv6 IPs.

Only Android Open Source Project, not the different phone UIs, vendor blobs, firmware, camera apps, etc… It is really the basics that are open source.

But also the source of android is 100% controlled by google unless it is an alternative forked project like lineageOS (at least I think so)