BuoyantCitrus

joined 2 years ago
sorted by: new top controversial old
How much does it matter what type of harddisk i buy for my server? in c/selfhosted@lemmy.world
[–] BuoyantCitrus@lemmy.ca 2 points 4 months ago (1 children)

One thing that would be useful to understand is the distinction between CMR and SMR

What is the best model of used ThinkPad to purchase? in c/linux@lemmy.ml
[–] BuoyantCitrus@lemmy.ca 10 points 4 months ago* (last edited 4 months ago) (1 children)

I got a nice deal on the x280 and am happy with it, was also looking at the various X1 carbon. Two criteria I had were I wanted USB-C charging (since I have those chargers around and they can handle these laptops) and a single battery (eg. the T470s I have from work is nice but it has two small capacity batteries that each cost the same to replace as the full size single ones in the carbon and x280). One thing to keep in mind is some of the earlier X1 carbon don't support NVME SSD (I think it started with 5th gen?)

Edit: another thing to consider is soldered RAM. Part of why my x280 was cheap was it's only 8gb and can't be upgraded. Since you're looking at lighter weight things and using FOSS (and perhaps open to tinkering with things like ZRAM) that might be a useful aspect to focus on because there is probably a glut of such machines given how memory inefficient things are lately with every trivial app running a whole browser engine. OTOH, depending how many tabs you tend to have open and how many electron apps you tend to keep floating around, 8gb might start to feel cramped. Especially if you think you might want some VMs around.

Why North America Can't Build Nice Apartments [Video, 12:09] in c/canada@lemmy.ca
Laptop with long runtime in c/linux@lemmy.ml
[–] BuoyantCitrus@lemmy.ca 2 points 9 months ago (1 children)

Next time I look for a small laptop to have handy one thing I'm going to be sure to prioritise is: how much battery does it use while suspended? I'd really like to not need to have it switch to hibernate after 30m of sleep or w/e and ideally just plug it in overnight like a phone.

Should I renew my liberapay donations? in c/main@lemmy.ca
[–] BuoyantCitrus@lemmy.ca 3 points 9 months ago

Thanks, cancelled for now. I'll keep an eye out for ways to contribute as we get more organised.

6
Should I renew my liberapay donations? (lemmy.ca)
 

Apparently, while it's closed for new donations, liberapay is still going to renew existing ones.

7
In Small Claims Court, Justice Delayed (thelocal.to)
 

Seems like the Landlord and Tenant Board isn't the only part of our justice system falling apart due to provincial neglect.

Self-hosted habit tracker in c/selfhosted@lemmy.world
[–] BuoyantCitrus@lemmy.ca 5 points 10 months ago

Big fan of that one, been using it for years.

Anyone know of a reverse command script or package to parse args for flags, expand them, and condense a man or help page(s) to just the relevant flags? in c/linux@lemmy.ml
Better understanding and mitigating the risks of using a phone that no longer receives system updates in c/android@lemmy.ml
[–] BuoyantCitrus@lemmy.ca 4 points 1 year ago

It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren't pulling in random untrusted content are far less of an attack vector (eg. one's bank app isn't connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)

Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn't necessarily mean "giving up bluetooth entirely", just not using it when you're in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.

Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we're vaguely covered by our vendor. I think you've convinced me to subscribe to CVEs for android too, I've only had alerts for my browser. Really too bad they don't make smaller Pixels.

38
Better understanding and mitigating the risks of using a phone that no longer receives system updates (lemmy.ca)
 

cross-posted from: https://lemmy.ca/post/1926125

Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what's the actual risk of using an Android phone on a stock ROM without updates? What's the attack surface?

It seems like most things that'd contact potentially malicious software are web and messaging software, but that's all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it'd be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn't just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I'm not at all an Android developer though, perhaps this is very naive and I'm missing something major?

0
Better understanding and mitigating the risks of using a phone that no longer receives system updates (lemmy.ca)
 

Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what's the actual risk of using an Android phone on a stock ROM without updates? What's the attack surface?

It seems like most things that'd contact potentially malicious software are web and messaging software, but that's all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it'd be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn't just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I'm not at all an Android developer though, perhaps this is very naive and I'm missing something major?

Best alternative to selfhosting email? E.g. email hosting provider for a custom domain in c/selfhosted@lemmy.world
[–] BuoyantCitrus@lemmy.ca 4 points 1 year ago (1 children)

I've enjoyed runbox.com for years but don't think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that

2
A key part of Canada's Internet was just sold to Japanese telco KDDI (money.tmx.com)
 

Allied Properties sale of their data centre portfolio to KDDI includes 151 Front Street W., the site of TorIX which is the main Internet Exchange Point for the country. While that's not necessarily an issue, I kinda figured it was at least a little bit notable but I've not seen it mentioned aside from an investment context.

Unfortunately, it seems like it's less consequential than it should be because Bell Canada apparently still refuses to peer at TorIX and only connects to other ISPs through the US which means that eg. if I'm on Rogers in Toronto and you're on Bell, any communications between our computers have to flow through American controlled systems even though we're in the same city because that's how Bell chooses to have things set up.

Whereas, for pretty much everything else in Toronto, it'd move between networks via TorIX. Which is now in a building owned by a Japanese company instead of a Canadian REIT.

Canadians will no longer have access to news content on Facebook and Instagram, Meta says in c/canada@lemmy.ca
[–] BuoyantCitrus@lemmy.ca 1 points 1 year ago

Good. This law is ridiculous and I'm glad it won't give the result they intended. Being able to link to things freely is a very basic part of the web, we really shouldn't mess with that. And Facebook is a ridiculous place to get news from so it may have ancillary benefits as well in terms of maybe slightly improving public discourse and encouraging people onto other platforms with more transparency around their content weighting and data use practices.