NaibofTabr

Would this mini pc be a good homeserver

For what purpose?

Slashdot?

If you’re just doing a quick config edit, nano is significantly easier to use and is also present in most distros.

Vi/Vim is useful as a customizable dev environment, but in the present there are better, more feature-rich development tools - unless you are specifically doing a lot of development in a GUI-free system, for some reason.

How often do older devices get breached

A meaningful answer would require specificity about “older” (5, 10, 20+ years?) and would have to be broken down into manufacturer / major software / use case / target market groups. Also… would you include breach reports for software in the statistics? For instance, if an Adobe app was breached and leaked user account data, but it only affected devices running an older version of Android, is that an Adobe breach or an Android breach, or both?

and is there any way to continue using an “older” device safely

Basically, once a device stops receiving security updates from the manufacturer it should be considered untrustworthy. The only caveat to this would be if you knew the hardware (CPU/APU/GPU, storage, RAM, and especially NICs and TPMs), knew the firmware for all of it, knew the software running on top of it, knew that it had been audited, knew that there weren’t any major unpatched vulnerabilities for any of it, and probably limited its use to known/trusted networks. That’s a lot of work and some of it is probably impossible due to proprietary hardware & firmware.

But you’d also have to weigh all of that against your threat model like I described above. The question is always “How much effort would someone put in to hack me?” There is never zero risk, even with a brand new, fully up to date device. Security is always a game of “I don’t have to outrun the bear, I just have to outrun you.”

I feel like short security update lifecycles are a form of planned obsolescence.

There’s some truth in this, but also recognize that every CPU model has its own specific microcode, every discrete device will have its own firmware and driver, and every mainboard will have its own specific firmware that makes all of those devices work together. Every version of every phone model ever produced has some amount of device code that is specific to that version and model. Keeping on top of updating every one of them would be a monumental task. Testing every update for every device before deploying the update would probably be functionally impossible.

All of that is a big part of why Apple controls the hardware of their devices so tightly. It allows them to standardize things and limit the amount of code they have to write, and in general Apple supports their devices with security updates much longer than other mobile device manufacturers. Their support range seems to be about 7 years.

Don’t get me wrong, I’m not personally an Apple user. I prefer the broader freedom of choice in hardware and software in the Android market, but I understand that there’s a tradeoff due to the lack of standardization. Apple’s approach has benefits - there is a degree of safety in the walled garden that is not possible outside of it.

What really needs to happen is that buyers need to demand end-of-life information and support commitments from the manufacturers. For instance, the Fairphone 5 has guaranteed security updates until 2031, eight years after the launch date. That way you can make an informed decision before you buy.

The danger is essentially that anything being done on the phone is not secure.

If all she does with the phone is look at cat pictures and talk to friends and family, there’s probably not much critical information there to worry about.

But does she use the phone for banking? tax records? health care? Does she use the phone for multifactor authentication to log in to her bank account &etc?

Anything involving financial or personal information could be used for identity theft and fraud. Even if she doesn’t have much money personally, her identity has value on the black market for opening fraudulent credit cards and other accounts. If her phone is no longer getting security updates then her email may be exposed, and basically if you can get into someone’s email then you can get into all of their other accounts (through “I forgot my password” links). Also keep in mind that the phone is a tracking device, so if it’s not secure then anyone with the time and interest could use it to track her location.

It’s worth noting that switching the phone to another OS like Lineage may not solve this problem. Android uses a core security feature of ARM processors called TrustZone to handle cryptographic functions like security keys. This depends on processor microcode that only gets updated by the manufacturer. If the device is no longer supported, then it will probably stop receiving updates. A third-party developer like Lineage won’t have the capability to update this code.

The potential threat from this is not usually immediate. Just because a device might be vulnerable doesn’t mean that it’s worth anyone’s time to actually hack it. But frequently what happens is that someone finds a vulnerability that can be exploited and then builds some software that can do the necessary steps automatically, after which any device with that vulnerability is not secure at all.

Deciding how critical all of this is for your mother depends a lot on context. Does she have financial assets that might make her a target? Is she politically active? Is she a member of a sociopolitical group that might be a target? Does she have a social media account with a lot followers? Does she have any close friends or relatives that someone might want to target through her? Does she know anyone who works in security for a large corporation, government or bank? Her own vulnerability might make someone else vulnerable by proximity.

There’s no way to eliminate risk completely. The only way to answer the question “how dangerous is this?” is to assess the severity of possible losses and the likelihood of potential threats (threat modeling) and then make judgment calls based on priority.

Encrypting the connection is good, it means that no one should be able capture the data and read it - but my concern is more about the holes in the network boundary you have to create to establish the connection.

My point of view is, that’s not something you want happening automatically, unless you manually configured it to do that yourself and you know exactly how it works, what it connects to and how it authenticates (and preferably have some kind of inbound/outbound traffic monitoring for that connection).

Ah, just one question - is your current Syncthing use internal to your home network, or does it sync remotely?

Because if you’re just having your mobile devices sync files when they get on your home wifi, it’s reasonably safe for that to be fire-and-forget, but if you’re syncing from public networks into private that really should require some more specific configuration and active control.

B. F. Skinner would like a word

For twenty-five hundred years people have been preoccupied with feelings and mental life, but only recently has any interest been shown in a more precise analysis of the role of the environment. Ignorance of that role led in the first place to mental fictions, and it has been perpetuated by the explanatory practices to which they gave rise.

My main reasons are sailing the high seas

If this is the goal, then you need to concern yourself with your network first and the computer/server second. You need as much operational control over your home network as you can manage, you need to put this traffic in a separate tunnel from all of your normal network traffic and have it pop up on the public network from a different location. You need to own the modem that links you to your provider’s network, and the router that is the entry/exit point for your network. You need to segregate the thing doing the sailing on its own network segment that doesn’t have direct access to any of your other devices. You can not use the combo modem/router gateway device provided by your ISP. You need to plan your internal network intentionally and understand how, when, and why each device transmits on the network. You should understand your firewall configuration (on your network boundary, not on your PC). You should also get PiHole up and running and start dropping unwanted inbound and outbound traffic.

OpSec first.

I think you’re right, and I think the problem is that many people equate dominance with aggression, especially physical aggression, and even more especially abusive aggression. It can be really difficult to break someone of this misconception, and popular media (e.g. “Fifty Shades of Grey”) really hasn’t helped.

It is perfectly possible to be controlling with soft power (more of a straitjacket than a bludgeon) but this is more subtle and more difficult to portray in a visual format, regardless of the gender(s) of the characters involved. You’re more likely to find what you’re looking for in written format than visual, because written description handles subtlety better than video.

Subtlety requires time almost by default, and most forms of visual adult media are about quick gratification.

By the phone company.

Heh, that won’t stop a C-level from thinking that you just write code.

So if it’s too scummy for the BBB, it must be really bad… or they weren’t getting a high enough cut.

https://www.metacritic.com/movie/listening/

Do something worthwhile with your time.

Something else.

There’s this quote attributed to Rabbi Yisrael Salanter:

When I was a young man, I wanted to change the world. I found it was difficult to change the world, so I tried to change my nation. When I found I couldn’t change the nation, I began to focus on my town. I couldn’t change the town and as an older man, I tried to change my family.

Now, as an old man, I realize the only thing I can change is myself, and suddenly I realize that if long ago I had changed myself, I could have made an impact on my family. My family and I could have made an impact on our town. Their impact could have changed the nation and I could indeed have changed the world.

There are two lessons here. First - the best way to affect meaningful change is to start local. Rather than spending a lot of time agonizing over national politics, get involved in your community - your neighborhood, your town, your apartment building, even just the house you share with your family. Your community will take better care of you and the other people that you care about than any national government ever will.

Second - ultimately the only person whose behavior you can change is your own. Don’t be too harsh with other people when they don’t behave the way that you believe they should. Be a more stringent judge of your own behavior.

But temper that with this:

Whatever you do, don’t congratulate yourself too much. Or berate yourself too much either.

Your choices are half chance. So are everybody else’s.

Baz Lurhmann

VPNs as a technology might not be illegal but circumventing the firewall certainly is.

Unless you are very vocal and high profile person no one will black bag you in a country of billion people, lol.

This is a bit of a misunderstanding about how things work in an authoritarian system. Sure, you might fly under the radar for awhile, but if you call attention to yourself (say, by getting caught trying to bypass the government firewall) and you are not high-profile, then it is very low-effort to make you disappear. Few will notice, and those that do will stay silent out of fear.

If you are more high-profile you still get black-bagged, you just get released after, with your behavior suitably modified.

Naomi Wu no longer uploads to YouTube.

Depends - how many family members do you have that the PRC might use against you? or who would miss you if the PRC black bagged you?

And there are hundreds if not thousands of them, plus a lot of automated tooling.