Hello, I’m relatively new to self-hosting and recently started using Unraid, which I find fantastic! I’m now considering upgrading my storage capacity by purchasing either an 8TB or 10TB hard drive. I’m exploring both new and used options to find the best deal. However, I’ve noticed that prices vary based on the specific...
I’m thinking of picking up a used ThinkPad on eBay for cheap to serve as my daily driver. I’ll likely run LMDE, and primarily use it for web browsing, office programs, coding, and FreeCAD. Any recommendations on which model would best hit the sweet spot of capability vs price?
I got a nice deal on the x280 and am happy with it, was also looking at the various X1 carbon. Two criteria I had were I wanted USB-C charging (since I have those chargers around and they can handle these laptops) and a single battery (eg. the T470s I have from work is nice but it has two small capacity batteries that each cost the same to replace as the full size single ones in the carbon and x280). One thing to keep in mind is some of the earlier X1 carbon don’t support NVME SSD (I think it started with 5th gen?)
Edit: another thing to consider is soldered RAM. Part of why my x280 was cheap was it’s only 8gb and can’t be upgraded. Since you’re looking at lighter weight things and using FOSS (and perhaps open to tinkering with things like ZRAM) that might be a useful aspect to focus on because there is probably a glut of such machines given how memory inefficient things are lately with every trivial app running a whole browser engine. OTOH, depending how many tabs you tend to have open and how many electron apps you tend to keep floating around, 8gb might start to feel cramped. Especially if you think you might want some VMs around.
Next time I look for a small laptop to have handy one thing I’m going to be sure to prioritise is: how much battery does it use while suspended? I’d really like to not need to have it switch to hibernate after 30m of sleep or w/e and ideally just plug it in overnight like a phone.
I have been working on my scripts for user/group permissions today. This idea has been on my back burner for awhile. I’m sure others have done this before. I just haven’t encountered them yet....
They published this in Popular Mechanics in 1912, we’ve been ignoring this for a long time:
The furnaces of the world are now burning about 2,000,000,000 tons of coal a year,” the article reads. “When this is burned, uniting with oxygen, it adds about 7,000,000,000 tons of carbon dioxide to the atmosphere yearly. This tends to make the air a more effective blanket for the earth and to raise its temperature. The effect may be considerable in a few centuries.
It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren’t pulling in random untrusted content are far less of an attack vector (eg. one’s bank app isn’t connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)
Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn’t necessarily mean “giving up bluetooth entirely”, just not using it when you’re in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.
Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we’re vaguely covered by our vendor. I think you’ve convinced me to subscribe to CVEs for android too, I’ve only had alerts for my browser. Really too bad they don’t make smaller Pixels.
Thanks, that’s encouraging and very relevant. Looks like it was introduced in Android 10 and aside from “Project Mainline” is referred to as “modular system components”: source.android.com/docs/core/ota/modular-system
Can you shed more light on what someone would be risking by continuing to use an EOL device? You say you don’t advise it, but it’d be helpful to elaborate on why.
It seems like the increased vulnerability would be relatively limited: I presume the browser and messaging are by far the most common vectors and those would be as up to date as ever but I can see how exploiting an unpatched vuln there on an unsupported device could have more impact as it would give more options for privilege escalation.
Otherwise it’d be something RF based. Aside from widely publicised things like BlueBorne (that we should be keeping an eye out for anyway), is it a reasonable concern that there are identify theft rings employing people with modified hardware wandering around subway systems trying to exfiltrate credentials from devices with specific vulnerable basebands? Seems like Android also offers some defence in depth there that’d make it unlikely enough to ensure it wouldn’t be worth their while?
There are a few technologically disinterested people in my life that I advise (as is no doubt the case for many here) and I don’t know how strongly to push for them to get new devices once theirs fall out of support. Most of them are quite content with what they’re using and are not in the habit of installing apps (and will reliably ask me first) so they really would be replacing the device solely for the updates. In some cases it’s not only the time and effort to decide on a replacement and get things transferred over but the expense can also be a burden. So I don’t want to raise the alarm lightly.
I don’t think they are things that can be fixed on the app level?
Indeed not. So I’m trying to better understand how vulnerabilities at the system level are exploited. It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured.
Based on this thread I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their attack surface.
Really appreciate you taking the time to write that. I have a sense of most of that (“defense in depth” and “threat model” are good lenses to think about such things through for sure!) but what I was trying to get a better grasp on was how much risk from automated attack was a normal person without worries of an “advanced persistent threat” taking on by using a device past EOL. Like you say, “Quantifying how much of a difference it makes is not trivial” so I feel less conflicted to know that you’re comfortable with your dad taking that risk.
I would think that the main thing at stake for a typical user isn’t just browsing history or email though but rather identity theft since a successful attacker can use the device to get through 2FA.
The app, in the scenario where we’re trusting the author/store, is only part of the surface to the extent it’s exposed to a potentially malicious payload. eg. a trusted solitaire game using a vulnerable API doesn’t exacerbate that vulnerability because it doesn’t expose it to untrusted input whereas a PDF viewer would because the PDF could be coming from anywhere…
I’ve enjoyed runbox.com for years but don’t think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that
Just because we want thoughtful regulation does not mean we support Meta and Alphabet. Why is this fascinating or surprising? Do you think the EFF is a huge fan of link taxes or Facebook?
Our new mayor faces an uphill battle, this TVO piece lays it out well. And that’s not even counting the potential for active sabotage like what Bob Rae ran into.
Allied Properties sale of their data centre portfolio to KDDI includes 151 Front Street W., the site of TorIX which is the main Internet Exchange Point for the country. While that's not necessarily an issue, I kinda figured it was at least a little bit notable but I've not seen it mentioned aside from an investment context....
It’s just the building, seems fine really but like, maybe less of a non-event than the almost no attention it appears to be getting.
Or you mean the part where Bell unnecessarily routes Canadian traffic through the US just cause they can get paid more that way? Ya that doesn’t seem good to me either but has been widely known for years now and apparently we’re okay with it.
It’s not really any particular problem, I just think it’s the sort of thing that’s worth being aware of at least. So I pointed it out. I did overhype the headline (should have put the building housing a key part…) but did indicate in the post that they bought the building and not control of TorIX itself and that
While that’s not necessarily an issue, I kinda figured it was at least a little bit notable but I’ve not seen it mentioned aside from an investment context.
It was also an opportunity to highlight Bell’s unnecessary sending of traffic through the US which I think should have a higher profile though I’m not a strident nationalist and might actually be sorta okay with it if it was actually legit more efficient or something but it sounds like it’s done for business reasons eg. to pressure smaller players into private peering.
I’d like to see infrastructure have a higher profile in general. I really appreciate connectivity, electricity, running water, roads, etc. and thing the investments we make there pay off. But it seems to often fall prey to being easily underfunded in favour of some attention grabbing but ultimately underwhelming pet project calculated to garner votes. Like tech debt being swept under the rug in favour of shiny features.
I’m planning on upgrading lemmy to v0.18.0 tonight, probably around 9pm CDT. So there will be a bit of downtime, but I don’t think it should take too long....
Looked through the docs a bit and it's not really clear to me: I'm posting this on lemmy.ca, does that mean only that instance knows my IP? Or does every instance it federates with get my ip alongside this post?...
Good point! And ya, when I open umatrix on a comment thread I see a whole menagerie of instances serving me images as I guess that goes for the profile image too.
But I find that somehow less concerning as they just know “someone at this IP viewed this thread containing these images” than “the user at this IP wrote this comment (or post)”.
Hmmm, but if DMs allow images and they work like this, a user with their own instance who wants to know which IP wrote a comment could perhaps send a message to the author with a unique image…
How much does it matter what type of harddisk i buy for my server?
Hello, I’m relatively new to self-hosting and recently started using Unraid, which I find fantastic! I’m now considering upgrading my storage capacity by purchasing either an 8TB or 10TB hard drive. I’m exploring both new and used options to find the best deal. However, I’ve noticed that prices vary based on the specific...
What is the best model of used ThinkPad to purchase?
I’m thinking of picking up a used ThinkPad on eBay for cheap to serve as my daily driver. I’ll likely run LMDE, and primarily use it for web browsing, office programs, coding, and FreeCAD. Any recommendations on which model would best hit the sweet spot of capability vs price?
Why North America Can't Build Nice Apartments [Video, 12:09] (www.youtube.com)
Laptop with long runtime
I’m looking to buy a new laptop. I recently switched to Linux (Fedora) and would like to stay with it (Not necessarily Fedora though)....
Should I renew my liberapay donations?
Apparently, while it’s closed for new donations, liberapay is still going to renew existing ones.
In Small Claims Court, Justice Delayed (thelocal.to)
Seems like the Landlord and Tenant Board isn’t the only part of our justice system falling apart due to provincial neglect.
Self-hosted habit tracker
Hi self-hosters. I am looking into personal habit trackers that I can self-host. So far, I have looked at the following:...
Thousands in Toronto take to the streets for climate (www.nationalobserver.com)
Anyone know of a reverse command script or package to parse args for flags, expand them, and condense a man or help page(s) to just the relevant flags?
I have been working on my scripts for user/group permissions today. This idea has been on my back burner for awhile. I’m sure others have done this before. I just haven’t encountered them yet....
'Something's changed': Summer 2023 is screaming climate change, scientists say | CBC News (www.cbc.ca)
Better understanding and mitigating the risks of using a phone that no longer receives system updates
cross-posted from: lemmy.ca/post/1926125...
Best alternative to selfhosting email? E.g. email hosting provider for a custom domain
Hey guys,...
Google will pull news links in Canada in response to new law (www.engadget.com)
Good luck, Olivia Chow — you’re going to need it (www.tvo.org)
Our new mayor faces an uphill battle, this TVO piece lays it out well. And that’s not even counting the potential for active sabotage like what Bob Rae ran into.
A key part of Canada's Internet was just sold to Japanese telco KDDI (money.tmx.com)
Allied Properties sale of their data centre portfolio to KDDI includes 151 Front Street W., the site of TorIX which is the main Internet Exchange Point for the country. While that's not necessarily an issue, I kinda figured it was at least a little bit notable but I've not seen it mentioned aside from an investment context....
Upgrade to v0.18.0
I’m planning on upgrading lemmy to v0.18.0 tonight, probably around 9pm CDT. So there will be a bit of downtime, but I don’t think it should take too long....
Who can see my IP on Lemmy?
Looked through the docs a bit and it's not really clear to me: I'm posting this on lemmy.ca, does that mean only that instance knows my IP? Or does every instance it federates with get my ip alongside this post?...