On my list it shows that I have not personally used the software, so I have no idea. This is good to know, though, so thank you! I’ll be sure to replace it with a better alternative if one exists.

I would be very interested to here what those other ways are.

I’ve thought a lot about the many places governments can get funding from. The most obvious would be donations, if you can build a culture that is strongly oriented around donations. Housing, land, and school costs are sources we have today. Some more creative funding sources include: taxing companies (since companies are transparent this can be enforced), adding a wealth cap (and any extra income once that cap is hit goes towards the government), and heavy legal fines (currently legal fines are pretty small, especially for big corporations). The best way for a government to make money is to spend it responsibly to avoid useless costs or overspending. There’s plenty of other sources of income, but if done correctly they should cover the cost of no taxes and free healthcare.

Your link does not work.

Invalid connection link
Please check that you used the correct link or ask your contact to send you another one.

I suggest editing the post with a fresh invite link.

I edit notes using vim or vscodium.

You should probably try moving away from this practice. First, this leaves your notes vulnerable as they are not encrypted at rest. Second, those programs are not designed for private notes, meaning there is the potential for various leaks to happen that you may not even be able to catch (temporary system files, etc.). Using a dedicated notes editor (like Joplin) means you are using something designed to keep your notes confidential.

Disclaimer: In the case of Joplin specifically, the developers take issue with implementing encryption at rest. Their philosophy is “If your computer’s disk is encrypted, then all your notes are already encrypted at rest.” This is flawed thinking for many reasons that I won’t get into here.

I would recommend Joplin, for these reasons:

1. It’s digital (of course)
2. It’s cross platform: iOS, Linux, Windows, macOS, and Android
3. It’s fully open source
4. It supports end-to-end encrypted syncing with different providers: Joplin Cloud, Dropbox, OneDrive, File system (for things like Syncthing), Nextcloud, WebDAV, S3 (Beta), and Joplin Server (Beta)
5. It supports markdown editing

When looking for software in general, write down what you are looking for and what your requirements are. Then, consider if there are any conflicting requirements (e.g. “I want my handwritten notes to be transcribed, but I don’t want any kind of handwriting recognition”). From there, you can make tough decisions or find a compromise. Then, think about any problems that may arise in the future. Do you plan to switch operating systems to something like GrapheneOS? Do you want to move away from cloud storage altogether? From there, you can get a good idea of what to look for. Good luck!

THIS

While I would make the modification to use Android’s Private Space instead of a work profile (or Shelter instead of Insular), this was such an obvious solution, and I feel stupid for not seeing it. I might use Wireguard instead of Tailscale, I don’t know yet, but thank you! Consider yourself an outside the box thinker!

We all got hung up on trying to fix Proton, when Android was the issue here!

OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we’ll leave it at that.

I’ve noticed that behavior is split between communities. Lemmy gets a bit weird because communities are usually hyper-specialized, and sometimes instances themselves cultivate different cultures (e.g. lemmy.ml is usually for privacy enthusiasts, since that’s where c/privacy is hosted). That, with the addition of specific idols for each community (e.g. Louis Rossmann for the selfhosted community) affects how each community behaves. That’s my theory, anyways.

I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?

Basically the “this website is not secure” popup you see in your browser is sometimes due to the website using a self-signed cert. There’s no way to verify that that cert is from the website itself or from an attacker trying to inject their own cert, since there’s no CA attached to the cert. If an attacker injects their own self-signed cert, they can use that to decrypt your HTTPS traffic (since your browser will be encrypting using their cert) and then forward your traffic along to the real website so that from your perspective (minus the warning screen) nothing is wrong. I’m oversimplifying this, but that’s basically how it works.

Unfortunately, if you don’t have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client.

I forgot to mention in this post, but because of browser fingerprinting reasons I don’t want to use a custom DNS. Thanks for the suggestion though!

Thank you for this!

Is OPNsense like dd-wrt or OpenWrt?

The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking.

I have background in Wi-Fi hacking and LAN attacks, and I understand the structure of networking (LAN, WAN, layers of the internet, DNS, CAs, etc.). My head starts to hurt when RADIUS is involved, ad hoc networking (which I understand the concepts of, just not how it works. I want to learn this first), mDNS, and other complicated topics. I’m trying to push past those mental roadblocks and learn as best I can, but it’s a tricky topic!

https://wiki.freeradius.org/

There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.

Thank you! I’ll definitely check this out. You’ve been a huge help!

Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.

This is fair, and does solve the problem. I didn’t explicitly state that I needed it to be convenient, so you’re right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn’t solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.

That makes me wonder if there’s a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN.

I tried Tailscale on Android, and it isn’t working because it requires the active VPN slot occupied by ProtonVPN.

Okay, so you might be unfamiliar with networking

I’m familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!

No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.

I want it to be encrypted during transit, even if it is over the LAN.

Tailscale/Headscale creates it’s own VPN network which will need its own IP space.

This is what I was afraid of, because this means it probably can’t run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?

If so, it means we’ve come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don’t see any other option than buying a domain and exposing the server to the internet. Am I missing something?

I know. It’s very unfortunate, but I understand why.

Alright, I’m slowly learning, bare with me here:

• ProtonVPN is always-on and blocks connections without VPN
• Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
• Tailscale and a Jellyfin client are installed on the phone

Then:

• Will that will run fully on the LAN?
• Will it be encrypted during transit?
• Does ProtonVPN need to allow LAN connections?

So:

• ProtonVPN is installed on my Android phone
• Android has Always-on VPN enabled
• Android has Block connections without VPN enabled
• Host Jellyfin on my Raspberry Pi 5
• Install Headscale on my Raspberry Pi 5
• Install Headscale on my Android phone
• Install a Jellyfin client on my Android phone
• Configure everything

And that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?

Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that’s why I ask.

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.

I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?

A better option would be getting an OpenWRT router

This is what I have planned. OpenWrt Two my beloved

You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

I also don’t know how to do this. Resources are much appreciated :)

!lemmysilver

Other people beat me to it on the other post, but none here!

Yes!

My list of open source software lists LibreTrack as an open source delivery tracking app for Android and Linux.

excellent writeup with some high quality referencing.

Thank you!

though i’m not sure it’s fair to say FF is insecure if we are by comparison inferring Chromium is secure?

The whole debate is a mess, so at some point you have to pick a camp of thinking and stick to it. I tried to clear this up before, but failed:

• https://lemmy.ml/post/21367269
• https://lemmy.ml/post/21887275

does this read like coreboot is proprietary? isn’t it GPL2? i might’ve misunderstood something.

Good question! I should have clarified. Libreboot removes proprietary drivers, firmware, and other code from coreboot in favor of their open source counterparts (where available). Some of that code is used to keep the system secure, even if it is proprietary, so Libreboot favors open source over security.

there is still an implicit arms race where privacy corroding features might be implemented at various layers vs the inevitably less resourced team trying to counter them.

is there some additional semi-blind ‘faith’ we’re also employing where we are probably assuming the corporate entity currently has little financial incentive in undermining the opensource base project because they can simply bolt on whatever nastiness they want downstream?

Most Google BS is simply not included in AOSP at all, and is instead added to their own proprietary Pixel OS (based on AOSP). For the invasive bits that are included, it’s easy enough for GrapheneOS to look over the incremental updates in Android and remove the bits that they don’t like.