I presume you mean running Plex in host namespace. I don’t do that as I run the synology package, but I can totally see the issue you mean.

Running in host namespace is bad, not terrible, especially because my NAS in on a separate VLAN, so besides being able to reach other NAS local services, cannot do do much. Much much much less risk than exposing the service on the internet (which I also don’t).

Also, this all is not a problem for me, I don’t use remote streaming at all, hence why I am also experimenting with jellyfin. If I were though, I would have only 2 options: expose jellyfin on the internet, maybe with some hacky IP whitelist, or expect my mom to understand VPNs for her TV.

(which doesn’t harden security as much as you think)

Would be nice to elaborate this. I think it reduces a lot of risk, compared to exposing the service publicly. Any vulnerability of the software can’t be directly exploited because the Plex server is not reachable, you need an intermediate point of compromise. Maybe Plex infra can be exploited, but that’s a massively different type of attack compared to the opportunities and no-cost “run shodab to check exposed Plex instances” attack.

No that’s the thing. Plex can also use their infra as a tunneling system. You can have remote streaming without exposing Plex publicly and without VPN. It is slow though.

Well, as an application it has a huge attack surface, it’s also able to download stuff from internet (e.g., subs) and many people run it on NAS. I run jellyfin in docker, I didn’t do a security assessment yet, but for sure it needs volume mounts, not sure about what capabilities it runs with (surely NET_BIND, and I think DAC_READ_SEARCH to avoid file ownership issues with downloaders?). Either way, I would never expose a service like that on the internet.

Not to be “achtuallying” bit VPN is not a way to remote stream, it’s a way to bring remote clients in the local network.

Likewise exposing services on the internet…not really going to happen esepcially for people - like me - that run plex/jellyfin on their NAS.

I don’t have a horse in this race, i don’t use remote streaming, I only ever streamed from my nas to my 2 TVs, and I am experimenting with jellyfin. But for those who do need remote streaming, jellyfin is going to be problematic.

In 4 years I have never (and will never) used any service from /e/. There is no vendor lock whatsoever. That’s fully optional.

Points 3, 4 and 5 in your list are moot IMHO.

Also

It takes a base level of understanding why you would buy a Fairphone

It doesn’t really. “Phone is repairable and X can help me”, “they pay the makers fair wages” are not really complex value propositions that require some (technical) understanding.

The point of /e/ and similar distributions is that you can buy a phone with it (average user will never reflash) and just have a phone that doesn’t use Google (it does, for the amount that doesn’t require you to do extra technical stuff and have a sane user experience at the same time).

That said, calyx seems a great alternative and so are iode. I think the advantages of one over the other (for my brief search) are quite small.

Gotcha, you are the classic person who is unnecessarily confrontational, but that dashes at any actual confrontation, because ultimately you have nothing to say. Your history shows this clearly.

We can all live without toxic people like you.

So your argument is repeating a cliché? OK.

I don’t need to convince you, but I explained my reasoning. Maybe make some practical examples, show some CVEs that - if left unpatched - severely impact the privacy (or the broader security) of the average users.

Also, as anybody who works in security knows, security is not a binary, and securing often means paying a price (in usability, in Euro, in comfort, in performance, whatever). In my mom’s threat model there is no the APT leveraging a 0 day to breach her worthless phone, there are opportunistic scammers who send her emails. There is also google and the like harvesting her data to sell her shit (hence a deGoogled phone with bootloader unlocked is more important than a Google phone with bootloader locked, for example).

In my threat model there might be some more resourceful attackers (because believe it or not, a financial org trusts me with securing their infra). However, as I also said, a much simpler and cheaper attack that recently has made the news is just to snatch the phone unlocked from my hands on the street, rather than exploiting an android CVE. This is why for example I have app pins for signal, email and everything that supports it, and I need to authenticate at every use. I also store all my TOTP on my yubikey, rather than keeping them on the phone (even with PIN), so my phone is not good as a 2FA device.

What you call blasé is actually just a way I personally assessed the risks and decided to invest accordingly. People whose threat model involve the bots who spam emails do not have to invest in security like if the NSA is after them. Updating android a month later is not going to be even a “low” risk for most people, especially if they adopt the much more important practice (IMHO) of not installing every shitty app under the sun. If you think otherwise, make concrete examples perhaps. Using a cliché is not really building your credibility here.

I definitely wait more than a week to update for example. The marginal security risk is completely irrelevant for me compared to the operational risk of a buggy update. N-1 is a common practice for updating software in fact, unless there is absolutely a great reason to upgrade.

Also, I want to be in your circle, because most people I know if the phone doesn’t update automatically they probably won’t even think of updating their phone (or their computer) at all.

For me the reason is simple, I don’t care about the advanced threats that would be mitigated by GrapheneOS enough to buy a pixel and migrate. I already own a FP3 and that’s what I am going to use until it breaks.

I might consider Graphene in the future, but having to buy a Google phone (even a used one) already pisses me off, compared to a FP (or similar). eOS also tries to be a “noob-friendly” distribution, that you can buy phones with and you never have to mess with the phones, which means people who don’t have the skills or don’t want to mess with their phones might trade the risk with ease of operation, and it might be the right choice for them.

Generally speaking privacy and security are related but not really linked to each other. Google services might be very secure, but a privacy nightmare for example. In this particular case, even more, because the chances that using a “googled” phone will mean data collection (I.e. privacy issues) are almost certain, while the risks we are talking about are much more niche and - as I elaborated on another comment - in my opinion not really in most people threat model.

I would like to hear your perspective instead, because I am not really into using authority arguments, but as a security engineer I believe to at least understand well the issue with security updates, vulnerabilities and exploits. So yes, I do think to know what I am talking about.

I am not dismissing it, I am saying that is not as big as you make it to be. Most users lag behind in updates anyway, besides using minimal and trusted applications, the outside exposure to exploitation is relatively small, for a device without a public address. I am not the one APTs are going to use the SMS no-click 0-day against.

Similarly for the bootloader issue. The kind of attacks mitigated by this are not in most people threat models. They just are not. As someone else wrote, it’s possible to relock the bootloader anyway with official builds (such as my FP3). But anyway, even for myself the chance that my phone gets modified by physical access without my knowledge is a fraction of a fraction compared to the chance that someone will snatch the phone in my hand while unlocked, for example (a recent pattern).

If these two issues are what prompts you to call a “security dumpster fire”, I would say we at least have very different risk perceptions.

FWIW, I have the FP3 for now more than 4 years. I have only replaced the battery 6 months ago. A case would have been extra waste (to produce the case itself) in my case, and probably will be trashed after as it might not fit the next phone.

No offense, but that’s not what a security dumpster fire is. Security updates are important, of course, but they are also not the biggest deal.

In fact, I bet that the vast majority of users (on Android or otherwise) are lagging way behind in updates anyway.

Maybe they are just getting started with learning programming, be kind.

Foregejo : codeberg = lemmy : blahaj.zone

Forgejo being a fork of gitea

Why you keep posting me articles about the FTC, when the appointee in this discussion was for the department of justice, and has been confirmed a week ago (on 11th I think)?

https://www.theverge.com/news/626502/trump-doj-recommends-google-breakup-antitrust-search-chrome

This is more relevant as the topic was antitrust and breaking monopolies. This still happened before Slater was officially confirmed, and it’s something that was not started now. But at least is relevant.

Yes, but who said otherwise then?

Oh OP made it up. Nvm. They write themselves that it is a notion alternative.

None of those tools are editors, right? They all try to be a notion alternative, which is also not an editor. There is basically 0 focus on typesetting.

No, because with the above you can have rich objects in databases (for example, a dynamically updated list of medical events, each with all the attributes I want, attachments etc.), and almost arbitrarily deep nesting of databases. The idea to have databases with pages is one of the key features that made notion successful. It allows to structure knowledge without duplication, in addition to provide some other no-code features.

Spreadsheets are not even close.

Fair enough, I am also not attached to kagi, mostly I want companies with good business models to succeed in tech. I want to see ad-revenue based companies (and all the connected industry) to crumble. A man can dream…

But yandex is useful for those who search in Russian. The low utilization probably comes from a mostly US/EU customer base, but when it is used, it is useful. I would disagree with disabling it. The best would be letting people decide what back ends to use, but that requires a whole rewrite of the search logic on their side, so it’s not happening any time soon…

BTW in EU we still use a lot of gas and oil from Russia, so it’s quite difficult to avoid giving them money (especially because we don’t know where energy came from for every product we buy).