I’m not the creator of the survey, but I’ve just send them the link to this discussion on Mastodon, so they can take the feedback into account.

Thanks for the correction. It’s a shame that sysadmins balcklist middle nodes too, since they won’t see any TOR traffic originating from your IP address anyway.

Make sure to not refresh the page, else it seems like all progress is lost.
I found out simultaneously that I enabled pull down to refresh the page in Firefox Android.

Edit: The survey wasn’t created by me, I just shared it.

There’s different types of relay, including exit relays, which are the legally problematic type. Middle, guard, and bridge relays don’t face the same issues with law enforcement and IP blocking.

Yes, there’s many ways to make programs unable to use other network interfaces. E.g. I’m creating a network namespace with a single wg0 interface, which I make services use through systemd NetworkNamespacePath.

That said, I’d argue gluetun is pretty much foolproof, especially with most people using docker which messes with iptables (edit: although I don’t know if this’d be an issue for this use case).

Yeah, I’m not sure whether Bitwarden always had support for exporting the vault on mobile, but it’s an awesome feature.

Transcoding and transcoded downloads does not seem to be merged yet, altough there’s a working PR.

https://github.com/jarnedemeulemeester/findroid/pull/791

Almost all oft their breaking changes over the last few months were about their docker-compose setup and the simplification of the same. They’ve startend out with multiple purpose-specific (micro) containers, which turned out as a Bad design decision. These changes require manual intervention but seem to be mostly finished, so I don’t expect these to be many breaking changes in the forsseeable future.

The better you plan ahead, the fewer breaking changes you have to impose on your users.

I agree. From what I’ve read, they now have (published) plans for what’s ahead.

desec.io can be used with any domain registrar and has an API with support for various ddns clients (ddclient, lego).

deSEC is a free DNS hosting service, designed with security in mind.

Running on open-source software and supported by SSE, deSEC is free for everyone to use.

Edit: To clarify, desec.io does not sell/rent domains. Desec has to be set as the authoritative nameserver on the registrar, then desec can manage domain records instead of the registrar (which usually also provides their own domain hosting for “free” by default).

It might depend on the particular bridges, but all mautrix- bridges work great for me with conduit. In a way adding bridges to conduit is easier since it’s all done through the admin room on conduit.

Immich recently changed license from MIT to AGPL. As far as I understand they can’t sinply relicense to a non-free license unless they redo a good chunk of code from the last half a year.

If they still used the MIT license I’d be worried too.

I personally would be hesitant to host Immich publicly until they’ve done a security audit. The risk of accidentally exposing my photos publicly is too big for me.

That’s why I recommend using Tailscale or Wireguard directly. Personally I’m using Wireguard for me and Tailscale for other people I want to easily access my services.

I prefer swap files over swap partitions, because it makes it my partition layout simpler to manage.

If your using a swap partition, make sure it’s located on an encrypted partition, else it exposes data stored in RAM (encryption keys etc). With SSD’s it’s difficult to make sure this data is actually deleted, even after overwriting.

My preferred setup for a long time was LUKS with btrfs on top. Then subvolumes for /, /home and the swap file (+ /var/cache, /var/log etc.). This gives me peace of mind nothing is unencrypted except /boot.

Nowadays I simply use zram, which allows for a small part of RAM to be compressed for swap. It’s great, simple to setup and performs well. Imo it should be default for all desktops.

For swap files on btrfs COW and features like compression have to be disabled. I believe for btrfs the swap file even has to sit on a subvolume with those features disabled, so it’s not enough to only disable them for the swap file.

Online transactions require a second factor which displays the actual amount to be transferred. This works by either an app which receives the transaction data (recipient, how much) over the network, or a device which takes the bank card and is used to scan something similar to a qr code. The device then displays the transaction data.

This makes sure a fraudulent site can’t easily change the amount or the recipient of a transaction, even if they somehow made an identical website (or close enough).

For remote transactions (e.g. online payments), the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.

https://www.ecb.europa.eu/press/intro/mip-online/2018/html/1803_revisedpsd.en.html

It’s not perfect, especially with people using a banking app and the second factor app on the same device for convenience sake.

That’s a bummer. Seems like Google Pixel and Fairphone are the only ones left. I don’t even know why manufacturers wouldn’t allow for relocking or even unlocking of their phones. I can’t imagine they make much money with user data and the phone is already paid for. Warranty claims shouldn’t be much of an issue either, as modifications can be easily detected and it’s likely not a relevant amount of people anyway.

The banking apps I’ve tried don’t require SafetyNet, instead they use Android AOSP’s basicIntegrity. The latter doesn’t require certification by Google, but also checks whether the device is rooted and the bootloader is locked.

This means custom ROM’s on most devices won’t pass basicIntegrity, as only Google Pixel, OnePlus and Fairphone allow for relocking the bootloader.

At least in the EU web browsers don’t allow for authenticating transactions (beyond a limit of e.g. 30€). Either an additional authenticator app or a standalone card reader is mandatory.

Luckily my banking apps work flawlessly on GrapheneOS and even microG, likely because of they care about the bootloader being locked again.

It’s not possible to dd a Windows ISO to a USB stick.

What way too many people fail to understand, because Linux ISOs are applying this method, but this is essentially a MAJOR HACK CALLED ‘ISOHYBRID’, is that, in most cases, you cannot simply take an ISO image and copy it byte for byte to a USB drive, and expect that to boot.

https://superuser.com/questions/1527197/debian-creating-windows-10-bootable-install-usb-drive-using-terminal-dd#1527373

But is it useful what you’ve learned? Could’ve learned something else.

(But I’m commenting on a meme, instead washing my dishes, both things that didn’t teach me much).