BuoyantCitrus Now • 100%
My understanding of debbootstrap is that it's for installing a minimal system, which is very much not what I want to do when rescuing an existing system as it'd probably overwrite things I'd like to keep. And the mount commands in the docs there to bind virtual filesystems before a chroot are similar to the sorts of things I'm hoping to find a memorable shortcut for yes. However, I already know what I want to bind mount, just looking for a more convenient way to go about it in a panic. Thanks for the suggestion.
BuoyantCitrus Now • 100%
Yes I recognise this post was more typing than a few decades of system rescuing but it's also more relaxing because my laptop already works and a one character typo won't be as much of a hassle here. It'd make an unpleasant chore more pleasant if there were a simple alias for this, which I occasionally speculate on proposing but ehhh I don't need it so often.
So it appears this time I'm motivated enough to make a post here. But not quite motivated enough to:
-
figure out how to wedge something to do this into the filesystem on my rescue ISO (because I'll either lose that USB or need to remember to repeat it for the next Debian stable release which might come out before I need this again --- I'm thinking on a longer time scale)
-
learn how to formally engage with the Debian community (which seems lovely and welcoming but also extremely bureaucratic for sensible reasons and like I'll have a pretty long road ahead of me to get a patch together and properly formatted and somehow applicable to all architectures and documented/internationalised and a lot of other steps I'm insufficiently motivated to undertake but perhaps eventually once I have a critical mass of contributions in mind that it feels worthwhile to dive in).
I know it's my fault for believing what my neglected laptop told me about its battery but I went ahead an did a kernel update anyway and wound up needing to repair my system. After a quick search I wound up on https://wiki.debian.org/GrubEFIReinstallOnLUKS per usual. The biggest hassle of this is having to type out the longish for loop to bind the various vfs to the chroot environment. It was bad enough when it was proc/sys/dev but it's worse these days: ``` for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -B $i /mnt$i; done ``` I realise there are various things that'd automate that if I connected the rescue image to the internet and added a package but that's also hassles as I've really just booted it with the express purpose of reinstalling grub. But maybe there is already some form of shortcut for this in the system that I've missed? Or some existing ticket/effort to enact one I could +1?
My Keychron Q11 showed up recently and I've been super happy with it. Main reason was that my Noppoo Choc Mini finally lost a switch and I don't have any on hand (nor a soldering iron ...yet) but it turns out I actually really wanted the pair of rotary encoders on this and didn't even realise. Specifically, I've got it bound to Ctrl-PgUp/PgDown so I can scroll through my tabs with it and close them with a click binding to Ctrl-W and that's working out really well. Anyone else use the knobs like that? I've got the other one set to volume and the vendor had zoom as a suggestion but I wonder what else people do with these? ---- Bonus newb Q: On the [product page](https://www.keychron.com/products/keychron-q11-qmk-custom-mechanical-keyboard) they demonstrate binding Ctrl-+ zooming to the encoder via a macro but neither macro13 nor the {KC_LCTL,KC-W} type syntax would let me click "Confirm" when trying to associate it to the knob in Via (eg. it wouldn't let me follow their example). Luckily it was happy with the alternative of LCTL(KC_W) that I stumbled on somewhere but now I wonder how to properly associate a macro to a knob?
BuoyantCitrus Now • 100%
Thanks, that's a significant detail. It also seems like Bluetooth 5.4 adds nothing relevant to my expected use cases: https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/whats-new-in-bluetooth-v5-4-an-overview
Is there such a thing as a particularly good PCIE -> m.2 E key adapter or are they all pretty much equivalent? Specifically, are some antennae better than others or they're pretty much simple enough devices that they're going to be equivalent if they're remotely aiming at the same spec?
Unfortunately, it seems like Intel may be a bad bet in terms of use as an AP:
Intel cards are only usable as access points either in the 2.4 GHz band or (very rarely) on channel 36. This hardware restriction is stemming from the fact that they don't have the circuitry required for reacting to radar pulses, and therefore rely on the "proper" access point to tell them about radars.
Also it needs a USB header on my motherboard as apparently the BT aspect is based on that bus. So perhaps I'd be better off with a fully USB adapter, I wonder if there is a downside to that approach... Edit: PCIE is the way to go
Last time I needed to add rf to a desktop, Intel AX200 seemed like the chipset to get. But now there are various new standards and the BE200 apparently has issues with AMD systems? So is there something newish from Qualcomm or others that I should be aiming for or would I probably be better off just picking up an AX210? Since the card might be kicking around a while I'm curious what has the best overall Linux support with as many significant 802.11 standards and Bluetooth codecs as possible for general future-proof-ness. Would also be nice if it had good support for AP mode as that's sometimes handy or I might repurpose it into a router at some point.
BuoyantCitrus Now • 75%
One thing that would be useful to understand is the distinction between CMR and SMR
BuoyantCitrus Now • 100%
I got a nice deal on the x280 and am happy with it, was also looking at the various X1 carbon. Two criteria I had were I wanted USB-C charging (since I have those chargers around and they can handle these laptops) and a single battery (eg. the T470s I have from work is nice but it has two small capacity batteries that each cost the same to replace as the full size single ones in the carbon and x280). One thing to keep in mind is some of the earlier X1 carbon don't support NVME SSD (I think it started with 5th gen?)
Edit: another thing to consider is soldered RAM. Part of why my x280 was cheap was it's only 8gb and can't be upgraded. Since you're looking at lighter weight things and using FOSS (and perhaps open to tinkering with things like ZRAM) that might be a useful aspect to focus on because there is probably a glut of such machines given how memory inefficient things are lately with every trivial app running a whole browser engine. OTOH, depending how many tabs you tend to have open and how many electron apps you tend to keep floating around, 8gb might start to feel cramped. Especially if you think you might want some VMs around.
BuoyantCitrus Now • 100%
More detail / similar concepts if you're not a video person: https://www.centerforbuilding.org/blog/we-we-cant-build-family-sized-apartments-in-north-america
BuoyantCitrus Now • 100%
Next time I look for a small laptop to have handy one thing I'm going to be sure to prioritise is: how much battery does it use while suspended? I'd really like to not need to have it switch to hibernate after 30m of sleep or w/e and ideally just plug it in overnight like a phone.
BuoyantCitrus Now • 100%
Thanks, cancelled for now. I'll keep an eye out for ways to contribute as we get more organised.
Apparently, while it's [closed for new donations](https://liberapay.com/lemmy.ca), liberapay is still going to renew existing ones.
thelocal.to
Seems like the Landlord and Tenant Board isn't the only part of our justice system falling apart due to provincial neglect.
BuoyantCitrus Now • 100%
Big fan of that one, been using it for years.
BuoyantCitrus Now • 100%
BuoyantCitrus Now • 100%
They published this in Popular Mechanics in 1912, we've been ignoring this for a long time:
The furnaces of the world are now burning about 2,000,000,000 tons of coal a year,” the article reads. “When this is burned, uniting with oxygen, it adds about 7,000,000,000 tons of carbon dioxide to the atmosphere yearly. This tends to make the air a more effective blanket for the earth and to raise its temperature. The effect may be considerable in a few centuries.
Also, this Wikipedia article has a good summary on the overall arc of our understanding: https://en.wikipedia.org/wiki/History_of_climate_change_science
BuoyantCitrus Now • 100%
The app, in the scenario where we're trusting the author/store, is only part of the surface to the extent it's exposed to a potentially malicious payload. eg. a trusted solitaire game using a vulnerable API doesn't exacerbate that vulnerability because it doesn't expose it to untrusted input whereas a PDF viewer would because the PDF could be coming from anywhere...
BuoyantCitrus Now • 100%
Really appreciate you taking the time to write that. I have a sense of most of that ("defense in depth" and "threat model" are good lenses to think about such things through for sure!) but what I was trying to get a better grasp on was how much risk from automated attack was a normal person without worries of an "advanced persistent threat" taking on by using a device past EOL. Like you say, "Quantifying how much of a difference it makes is not trivial" so I feel less conflicted to know that you're comfortable with your dad taking that risk.
I would think that the main thing at stake for a typical user isn't just browsing history or email though but rather identity theft since a successful attacker can use the device to get through 2FA.
BuoyantCitrus Now • 100%
It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren't pulling in random untrusted content are far less of an attack vector (eg. one's bank app isn't connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)
Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn't necessarily mean "giving up bluetooth entirely", just not using it when you're in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.
Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we're vaguely covered by our vendor. I think you've convinced me to subscribe to CVEs for android too, I've only had alerts for my browser. Really too bad they don't make smaller Pixels.
BuoyantCitrus Now • 100%
I don’t think they are things that can be fixed on the app level?
Indeed not. So I'm trying to better understand how vulnerabilities at the system level are exploited. It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured.
Based on this thread I'm beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their attack surface.
BuoyantCitrus Now • 100%
Thanks, that's encouraging and very relevant. Looks like it was introduced in Android 10 and aside from "Project Mainline" is referred to as "modular system components": https://source.android.com/docs/core/ota/modular-system
Can you shed more light on what someone would be risking by continuing to use an EOL device? You say you don't advise it, but it'd be helpful to elaborate on why.
It seems like the increased vulnerability would be relatively limited: I presume the browser and messaging are by far the most common vectors and those would be as up to date as ever but I can see how exploiting an unpatched vuln there on an unsupported device could have more impact as it would give more options for privilege escalation.
Otherwise it'd be something RF based. Aside from widely publicised things like BlueBorne (that we should be keeping an eye out for anyway), is it a reasonable concern that there are identify theft rings employing people with modified hardware wandering around subway systems trying to exfiltrate credentials from devices with specific vulnerable basebands? Seems like Android also offers some defence in depth there that'd make it unlikely enough to ensure it wouldn't be worth their while?
There are a few technologically disinterested people in my life that I advise (as is no doubt the case for many here) and I don't know how strongly to push for them to get new devices once theirs fall out of support. Most of them are quite content with what they're using and are not in the habit of installing apps (and will reliably ask me first) so they really would be replacing the device solely for the updates. In some cases it's not only the time and effort to decide on a replacement and get things transferred over but the expense can also be a burden. So I don't want to raise the alarm lightly.
cross-posted from: https://lemmy.ca/post/1926125 > Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date. > > But what's the actual risk of using an Android phone on a stock ROM without updates? What's the attack surface? > > It seems like most things that'd contact potentially malicious software are web and messaging software, but that's all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc. > > So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL? > > Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it'd be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn't just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK? > > I'm not at all an Android developer though, perhaps this is very naive and I'm missing something major?
Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date. But what's the actual risk of using an Android phone on a stock ROM without updates? What's the attack surface? It seems like most things that'd contact potentially malicious software are web and messaging software, but that's all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc. So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL? Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it'd be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn't just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK? I'm not at all an Android developer though, perhaps this is very naive and I'm missing something major?
BuoyantCitrus Now • 100%
Good point! And ya, when I open umatrix on a comment thread I see a whole menagerie of instances serving me images as I guess that goes for the profile image too.
But I find that somehow less concerning as they just know "someone at this IP viewed this thread containing these images" than "the user at this IP wrote this comment (or post)".
Hmmm, but if DMs allow images and they work like this, a user with their own instance who wants to know which IP wrote a comment could perhaps send a message to the author with a unique image...
BuoyantCitrus Now • 100%
Thanks for the succinct summary!
BuoyantCitrus Now • 63%
Aren't you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve...
BuoyantCitrus Now • 100%
I've enjoyed runbox.com for years but don't think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that
cross-posted from: https://lemmy.ca/post/653849 > I'm trying to follow conventional wisdom and have more and more of our portfolio as straight up VGRO but want some more US exposure (though I am aware there are arguments in favour of a home-country bias). I was also interested in picking a USD fund as not only do they tend to have a lower MER but also get an extra boost from witholding tax exemption if I hold them in an RRSP. > > An S&P 500 fund seems the way to go, but it seems awfully slanted towards giant tech megacaps. Apple alone is over 7% of VOO. With a P/E over 31 it's hard for me to feel like there's not extra risk with the concentration here--is it really such a safe bet to think the largest company in the world has that much more growth ahead of it? And VGRO already has a solid chunk of cap-weighted exposure. > > And so, after my inexpert research failed to dissuade me, I'm probably going to use an equal-weight ETF like RSP or EUSA for this portion---there are no penny stocks on the S&P 500 and it doesn't seem to perform much worse (and indeed better depending how far back you test). At this point I'm more comfortable with either of those than VOO and will probably do this just for the irrational psychology, but I do wish there was something that combines an equal weighting with a screen for quality (something like SPHQ) as a big drawback seems like for as much concentration risk as it avoids it also keeps rebalancing more and more into failing companies as they crash and burn. > > Anyone else subscribe to a similar reasoning and incorporate an equal weight fund into the passive portion of your portfolio? Which one did you go with?
Our new mayor faces an uphill battle, this TVO piece lays it out well. And that's not even counting the potential for [active sabotage](https://www.theglobeandmail.com/news/politics/second-reading/the-hidden-history-of-bob-raes-government-in-ontario/article1314254/) like what Bob Rae ran into.
Allied Properties sale of their data centre portfolio to KDDI includes 151 Front Street W., the site of [TorIX](https://www.torix.ca/) which is the main [Internet Exchange Point](https://en.wikipedia.org/wiki/Internet_exchange_point) for the country. While that's not necessarily an issue, I kinda figured it was at least a little bit notable but I've not seen it mentioned aside from an investment context. Unfortunately, it seems like it's less consequential than it should be because Bell Canada [apparently still refuses to peer at TorIX](https://nullrouted.space/2021/02/27/bell-canada-should-peer-at-canadian-ixes/) and [only connects to other ISPs through the US](https://www.reddit.com/r/Quad9/comments/101ii0e/bell_canada_routes_gta_customers_to_chicago_quad9/j2wxgtb/) which means that eg. if I'm on Rogers in Toronto and you're on Bell, any communications between our computers have to flow through American controlled systems even though we're in the same city because that's how Bell chooses to have things set up. Whereas, for pretty much everything else in Toronto, it'd move between networks via TorIX. Which is now in a building owned by a Japanese company instead of a Canadian REIT.
There's an [election soon in Toronto](https://lemmy.ca/post/566088)! A publication I like has some detailed profiles on the candidates but I bet others do too. Seems like it'd be best to start a thread and collect links to that kind of coverage in top level comments.
It'd be nice to (eventually!) see a link laying out a privacy policy for the instance, something like: https://newsie.social/privacy-policy I'd especially be interested to know how long you associate the IP addresses we visit from with our accounts, who can see that info (and our emails), what other PII you store, and how long deleted posts/accounts are stored for. (Totally get and very much appreciate that smorks &co have a lot on their plates just getting this place off the ground, not trying to demand additional work, just a suggestion. Seems like it'd take some thinking to balance with eg. a good backup regimen.)
...and it's apparently a "trophy"?
Was curious about whether someone could extract my password from Jerboa on my phone but didn't get any response there. Maybe you guys have some idea? Does Lemmy even offer an auth mechanism that could prevent this, is one in the works? cross-posted from: https://lemmy.ca/post/652328 > I noticed that Jeroba didn't seem to switch to a different site the way Relay passed through to Reddit so I could log in and link it via OAuth. From that I take it that when I authenticate in Jeroba I'm entrusting it with the cleartext password for my lemmy account which it's storing on my phone? > > I'm sorta okay with that especially for now (eg. alpha) so I proceeded with things but maybe it should be more clear up front that's what's happening? And really, any of the other apps could probably have faked that OAuth page anyhow so it's dubious if you were really trusting the app all that much less in that case. > > However, one thing OAuth had going for it was that would make it a lot harder for someone who steals my phone to permanently take control of my Reddit account whereas they could extract my password from Jeroba and use it to take over my lemmy account?
Looked through the docs a bit and it's not really clear to me: I'm posting this on lemmy.ca, does that mean only that instance knows my IP? Or does every instance it federates with get my ip alongside this post? This seems maybe important, did I miss a privacy guide to Lemmy someplace? Cursory searching didn't come up with much official. Are there other aspects we should be thinking about here? I'd come across some mention of deleted posts being still available everywhere they were sent but that sorta makes sense -- hard to "unpublish" anything.
...trying to cross-post from !investing@lemmy.ca ...is cross posting even a thing on lemmy?
Noticed this community and it happens to be well timed: my smoke detector says it's too old. Assuming I should trust it on that, what should I replace it with? I've no wiring for those so am looking for the usual battery operated standalone one. Or it pretty much doesn't matter, they all work about as well?
One silver lining of the pandemic was that the city opened up some public space so we had more options for hanging out. While I'm not a fan of fine dining with a backed up lane of traffic idling a few feet away this was one patio I really enjoyed---for the last 3 years it was in an otherwise quiet and underused alley with plenty of room for service vehicles to still get by. But ...apparently because some patios in laneways got in the way they've just decided to cancel all of them this year? And I think they're also charging way more in general? Sucks, this was exactly the kind of thing we need more of, not less. We're already so isolated.
I noticed that Jeroba didn't seem to switch to a different site the way Relay passed through to Reddit so I could log in and link it via OAuth. From that I take it that when I authenticate in Jeroba I'm entrusting it with the cleartext password for my lemmy account which it's storing on my phone? I'm sorta okay with that especially for now (eg. alpha) so I proceeded with things but maybe it should be more clear up front that's what's happening? And really, any of the other apps could probably have faked that OAuth page anyhow so it's dubious if you were really trusting the app all that much less in that case. However, one thing OAuth had going for it was that would make it a lot harder for someone who steals my phone to permanently take control of my Reddit account whereas they could extract my password from Jeroba and use it to take over my lemmy account?