• 0 Posts
  • 22 Comments
Joined 1 year ago
cake
Cake day: June 14th, 2023

help-circle
  • Ideally you want something that gracefully degrades.

    So, my media library is hosted by Plex/Jellyfin and a bunch of complex firewall and reverse proxy stuff… And it’s replicated using Syncthing. But at the end of the day it’s on an external HDD that they can plug into a regular old laptop and browse on pretty much any OS.

    Same story for old family photos (Photoprism, indexing a directory tree on a Synology NAS) and regular files (mostly just direct SMB mounts on the same NAS).

    Backups are a bit more complex, but I also have fairly detailed disaster recovery plans that explain how to decrypt/restore backups and access admin functions, if I’m not available (in the grim scenario, dead - but also maybe just overseas or otherwise indisposed) when something bad happens.

    Aside from that, I always make sure that all of all the selfhosting stuff in my family home is entirely separate from the network infra. No DNS, DHCP or anything else ever runs on my hosting infra.


  • rho50@lemmy.nztoSelfhosted@lemmy.worldLlama-FS Self-Organizing File Manager
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    5 months ago

    It would be better to have this as a FUSE filesystem though - you mount it on an empty directory, point the tool at your unorganised data and let it run its indexing and LLM categorisation/labelling, and your files are resurfaced under the mountpoint without any potentially damaging changes to the original data.

    The other option would be just generating a bunch of symlinks, but I personally feel a FUSE implementation would be cleaner.

    It’s pretty clear that actually renaming the original files based on the output of an LLM is a bad idea though.


  • (6.9-4.2)/(2024-2018) = 0.45 “version increments” per year.

    4.2/(2018-1991) = 0.15 “version increments” per year.

    So, the pace of version increases in the past 6 years has been around triple the average from the previous 27 years, since Linux’ first release.

    I guess I can see why 6.9 would seem pretty dramatic for long-time Linux users.

    I wonder whether development has actually accelerated, or if this is just a change in the approach to the release/versioning process.


  • The DJI Fly app is probably considerably worse for security/privacy than most Google apps. DJI has a storied history of sketchy practices in their apps: see here.

    Google also won’t allow DJI to distribute their apps through the Play Store, because of DJI’s weird insistence on being able to push arbitrary binaries to customers’ phones entirely free of any third party vetting.

    GrapheneOS’ sandbox hardening might help somewhat, but I’d recommend avoiding DJI products if you can. If you must use DJI Fly, prefer to use it in a different profile where it can’t touch any of your personal apps. Tough when they are singularly the best drone manufacturer for videography though.




  • You can restrict what gets installed by running your own repos and locking the machines to only use those (either give employees accounts with no sudo access, or have monitoring that alerts when repo configs are changed).

    So once you are in that zone you do need some fast acting reactive tools that keep watch for viruses.

    For anti-malware, I don’t think there are very many agents available to the public that work well on Linux, but they do exist inside big companies that use Linux for their employee environments. For forensics and incident response there is GRR, which has Linux support.

    Canonical may have some offering in this space, but I’m not familiar with their products.











  • rho50@lemmy.nztoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    11 months ago

    Crostini is an official feature built by Google that allows you to run Linux on a tightly integrated hypervisor inside Chrome OS. You keep a lot of Chrome OS’ security benefits while getting a Linux machine to play with.

    That said, no, it’s not illegal to install a different operating system on your Chromebook hardware. They are just PCs, under the hood. You might lose some hardware security features though, e.g. the capabilities provided by integration of the Titan silicon.

    If you had a job at Google, corporate IT would definitely not be happy if you wiped the company-managed OS and installed an unmanaged Linux distro :)


  • Tl;dr: TPMs are very unlikely to make your privacy better or worse, but they could definitely be abused by a company like MS to make end users’ experiences worse. They could also be used for significant security and privacy gains… they’re a tool.

    The TPM can be used to provide a cryptographic binding between aspects of your system’s configuration and a unique key which is resident within the TPM (a process called “attestation”). It can also generate secondary keys that are associated with the base key, and use those to do cryptographic operations like encryption/decryption and authentication.

    Telemetry wise, the TPM’s only utility might be to “prove” that the data sent from your PC wasn’t tampered with. That said, I don’t think MS is actually doing that, and they don’t need to in order to be incredibly invasive in their telemetry.

    The (imo) worst way in which a TPM might be abused in a user-hostile sense is to detect if the OS has been modified by the user, or if an installation isn’t legitimate, etc. That could be used to disable certain features if you try to install unauthorised software, dual boot Linux or whatever. This would be similar to the smartphones of today, which can for example disable access to banking apps if jailbroken/rooted.

    TPMs (>2.0 at least) otherwise have the potential to realise a significant improvement in security and privacy for users, if used correctly. They can be used for encryption and credentials that are bound in hardware and therefore practically impossible to steal. And can detect hardware tampering and potentially foil Evil Maid attacks. Imagine if your login sessions for various websites were bound to your hardware, such that a dodgy extension could never steal your cookies.


  • I found it much more barebones in my tinkering. It doesn’t seem to support pulling via SSH (and definitely doesn’t support signing commits). Configuration options appear extremely limited, both in documentation and the UI.

    It looks nice, but I don’t really see the point to it when Gitea Actions is now a thing. Gitea is a more mature product, and is similarly fast and lightweight.

    Edit: s/Gitea/Forgejo. Gitea has moved to a for-profit model since I made this comment.