Wenn ich sehe wie viel Infos dann öfters mal einfach aus chatprotokollen rauspurzeln glaub ich schon das öfters mal was gefunden wird.
Man muß nicht dumm sein um nicht perfekt in opsec zu sein. Es gibt jede Menge Wege wie man was “liegen lassen” kann, vor allem digital. Und wenn man sich damit nicht regelmäßig beschäftigt kennt man nicht alle.
Einfach aus convenience am Laptop im Chat eingelogged bleiben? Ups, jetzt ist er konfisziert …
First: love that that’s a thing, but I find the blog post hilarious:
We believe this choice must include the one to migrate your data to another cloud provider or on-premises. That’s why, starting today, we’re waiving data transfer out to the internet (DTO) charges when you want to move outside of AWS.
and later
We believe in customer choice, including the choice to move your data out of AWS. The waiver on data transfer out to the internet charges also follows the direction set by the European Data Act and is available to all AWS customers around the world and from any AWS Region.
But sure: it’s out of their love for customer choice that they offer this now. The fact that it also fulfills the requirements by the EDA is purely coincidental, they would have done it for sure.
Remember folks: regulation works. Sometimes corporations need the state(s) to force their hand to do the right thing.
I went with iDrive e2 https://www.idrive.com/s3-storage-e2/ 5 TB is 150$/year (50% off first year) for S3-compatible storage. My favorite part is that there are no per-request, ingress or egress costs. That cost is all there is.
without trusting anyone.
Well, except of course the entity that gave you the hardware. And the entity that preinstalled and/or gave you the OS image. And that that entity wasn’t fooled into including malicious code in some roundabout way.
like it or not, there’s currently no real way to use any significant amount of computing power without trusting someone. And usually several hundreds/thousands of someones.
The best you can hope for is to focus the trust into a small number of entities that have it in their own self interest to prove worthy of that trust.
Like many other security mechanisms VLANs aren’t really about enabling anything that can’t be done without them.
Instead it’s almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.
So if your question is “do I need VLAN to enable any features”, then the answer is no, you don’t (almost certainly, I’m sure there are some weird corner cases and exceptions).
What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don’t normally talk to each other anyway. Right. That “normally” is exactly the case: one major benefit of having VLANs is not just stopping “normal” phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you’re out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone …
So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.
I’m sorry that my attempt to find out what you want to be able to provide useful help annoyed you.
Without any text it’s really hard to guess what you want and that’s why you get so many different answers.
Do you want to
Note that I suspect you actually want the third one, in which case I suggest you avoid MediaWiki. Not because it’s bad, but because it’s almost certainly overkill for your use-case and there’s way simpler, easier-to-setup-and-maintain systems with fewer moving parts out there.
Increase the attack surface compared to what? If you don’t allow/enable any access to services inside your network from outside, then by definition you have fewer attack surfaces than if you add a VPN to that empty list.
So trivially the answer is “yes, it adds an attack surface”.
But what are the alternatives? If you directly expose each individual service on a dedicated port, for example, then you’d add many more (and usually less well hardened) attack surfaces instead.
So if the comparison is “expose 5 web-based services directly” vs. “expose one VPN like wireguard”, then the second option is almost always the clear winner when it comes to security (and frequently also when it comes to ease of setup as well as comfort).
This isn’t specific to just netdata, but I frequently find projects that have some feature provided via their cloud offering and then say “but you can also do it locally” and gesture vaguely at some half-written docs that don’t really help.
It makes sense for them, since one of those is how they make money and the other is how they loose cloud customers, but it’s still annoying.
Shoutout to healthcheck.io who seem to provide both nice cloud offerings and a fully-fledged server with good documentation.
I’ve not found a good solution for actual constant monitoring and I’ll be following this thread, but I have a similar/related item: I use healthcheck.io (specifically a self-hosted instance) to verify all my cron jobs (backups, syncs, …) are working correctly. Often even more involved monitoring solutions do not cover that area (and it can be quite terrible if it goes wrong), so I think it’ll be a good addition to most of these.
At a big enough LAN even just getting everyone to change that setting is probably harder than setting up a central cache. Don’t underestimate the amount of people that listen to instructions, say sure and then just either not do it, or fail to do it correctly.
USB SATA controllers are also very hit-and-miss. There’s plenty of really, really bad ones out there. Either missing features, slow, getting hot or all of the above. If you found one that works well, good for you, but I’d avoid most noname brands, unless I had specific knowledge about the product or the very least the chipset they use.
That example makes sense to me, because it’s an alternative to something like hosting a blog on some third party site: generate it statically and host the result somewhere.
I’ve got the same setup! What I love about authentik is that I can even add a Google login as an authentication method. That severely increases the spouse-acceptance factor, as they don’t have to “remember yet another password” or “carry around another thingie”. Personally I use a YubiKey anyway, but for others who aren’t into it “for fun” or for philosophical reasons reducing the friction as much as possible is paramount.
That’s a great answer if one already has a NAS (which is not unlikely, given the name of the community). But if that’s not already present (or desired for other reason) then a simple media-PC with some built-in storage is simpler to set up.
I suggest to avoid the temptation to get one of the many cheap Android boxen meant for media playback from Ali Express or the like, as they have a strong tendency to be heavily loaded with malware. Definitely not all of them, but it’s really hard to tell which specific one you’ll get.
Now you make me feel old. In “the olden days” before streaming of media over the internet was as commonplace as it was now, that was the standard way that tech-savy people consumed media: Either on their PC or with some set-top box with built-in storage. I fondly remember my PopcornHour, which was basically a line of desktop-boxes that ranged from “basically a hard disk, video decoder and HDMI out” all the way to “can automatically rip your BlueRays”.
A custom “source available” license that may not be as clear-cut as intended and depends on “we know it when we see it” by the authors of the license? You don’t say!
I’ve not tried that myself, but AFAIK VLC can be remote controlled in various ways, and since the API for that is open, multiple clients for it exist: https://wiki.videolan.org/Control_VLC_from_an_Android_Phone
There’s also Clementine which offers a remote-control Android app.
I second that. This practice comes from a time where domain names were expensive, in many ways: SNI didn’t exist/wasn’t wide-spread, so each domain name on HTTPS needed a dedicated IP, Certificates weren’t democratized yet via letsencrypt/acme and most hosts were big enough to run multiple services, because virtualization wasn’t as widely available yet. So putting apps on sub-paths made sense.
Now all of those things are basically dealt with and putting each app on its own sub-domain just makes way more sense.