You’re right. Both standards are open. I got confused by the German Wikipedia article about Matter which is very misleading.
I have 2 thermostats but that’s not enough for the rooms. And I’m not entirely happy with them. Maybe I need to find a good model and buy some more.
Zigbee
Sure. I think Zigbee/Matter are proprietary standards. And you don’t have too much control over how it is implemented in the individual devices and any possible security vulnerabilities. It is a separate network though and easy to use. I bought a small Gateway to connect it to Home Assistant after the USB stick I was initially using showed some compatibility issues.
What I really like are those cheap chinese devices that have ESP8266 or ESP32 microcontrollers in them. I can flash Tasmota or Esphome on them, take control and have them run free software. No manufacturer’s cloud needed and updates indefinitely.
Yeah, and we recently talked about smart/dumb appliances. In this household there are lots of older appliances anyways. And we moved a few years ago so they’re just old enough that none of them have wifi. I think that has changed since. Nowadays it’s not an extra 150€ for wifi anymore, but part of most appliances. And you get an App along with your new diswasher per default. I like “smart” with lighting. And having the washing machine turn on 2h before I get home is a huge convenience. Apart of that, I’d like the heating unit to be smart, but it isn’t. I think we could save some energy if the gas heating stopped after everyone left. There is no steady weekly schedule I could program into the central unit, so it’s just some radiators I can turn down. Apart from that, I don’t think I have a good use-case for a smart diswasher, fridge or a bugging device that can play music.
[Intel ME] it is essentially at ring 0
I don’t like it either. It’s just a very stupid design choice to have some uncontrollable extra chips run god knows what with highest privileges. And in the past people already discovered several security vulnerabilities. And there is no alternative to it. I think AMD does the same. And coreboot is a bit niche. I’d have to put quite some effort in and make some trade-offs. And it doesn’t have to be this way. I don’t think the embedded controller firmware is a super valuable trade-secret anyways. They probably keep it a secret and locked down for shady reasons or because they don’t want people to see the amount of vulnerabilities in it. I don’t think it would do Intel or AMD any harm to just open up that part of the system.
Ah. Thanks for explaining :-)
Yeah, the …keeping the mess somewhere else and not doing it on the important firewall… makes sense.
I also like to keep it clean so everything is a bit more modular and better to maintain. (I made the mistake of introducing circular dependencies and overly complicated setups often enough.)
I think the double-NAT is a bad idea. Such things just cause pain and break in unexpected ways. I’d rather focus on getting the firewall right. And the NAT doesn’t add anything here. A firewall is the correct tool to filter packets between two network segments. A NAT is a crude thing that happens to drop incoming connections from the other side. But you could as well instruct your firewall to drop those packets. It’d be the same result just without the added pain.
And I have some IoT devices as well. Half of them use Zigbee, the other half is connected to my main wifi, I never got around to seperate them. But the’re all running open source software and talking to my Home Assistant via MQTT or Esphome. (I don’t own any smart dishwashers or coffee machines.)
I don’t have too much info on IntelME. I suppose it doesn’t do stupid things, or someone would have found out already. And it’s really difficult to protect from. Especially in a setup that isn’t completely locked down. I hope they someday learn and replace that with an open solution.
Thanks. I was going a bit more for the “what do you need that for” aspect. Emulating an enterprise environment sounds more like tinkering or learning? I mean I get network segmenting if you want to seperate for example an home-office from the entertainment devices in the livingroom from the cheap unpatched IoT devices… And also have a seperate network to experiment in the basement lab… Doing firewalling to keep the TV from transmitting behaviour tracking data to the manufacturer… Stop the kids from accessing the network share… Or you have several servers running at home with lots of containers…
But are that hypothetical use-cases? Or what do people actually use the 2 consecutive firewalls and different network segments for?
I mean I live in a country where electricity isn’t that cheap. I run one server 24/7 and that has to do everything. And since it’s just one machine I can set up a network bridge and a seperate internal network for docker there. Most of the networking isn’t overly complicated and contained within that machine. But my OpenWRT also does additional wifi for the guests and a third network for experimentation.
I get doing it as a hobby. I was just wondering if there are 12 laptops at home, VLANs through the house and 3 servers with lots of storage and webservices and that’s what the OPNsense is for, or if it’s more “because I can”.
What kind of extensive network setups are you running at home? I just have a few Wifi-routers with OpenWRT and one server / NAS. (Which also does DNS Ad-blocking.)
Ah, thx. At the beginning of this week I got the first “Access denied”. It was the menu of a restaurant. My friends could open the PDF and my phone got denied (Mull browser).
Uh, why use a Microsoft product that doesn’t even tie into the rest of the selfhosted services very well? There are easier and way better solutions for SSO and web services. And I don’t have a pool of 30 windows laptops that’d need to share a set of login credentials and software rollout, at home.
I’d rather use the time I’d put into such a project that is just work and little to no benefit for something else. For example doing backups, deleting the Windows on those laptops and replacing it with free software.
I think that is a good question to write something positive about SystemD.
I start my services with SystemD. I also moved my containers and docker-compose stack to be started by systemd. And it does mounting and bind-mounts, too. So I removed things from /etc/fstab and instead created unit files for systemd to mount the network mounts. And then you can edit the service file that starts the docker-container and say it relies on the mount. SystemD will figure it out and start them in the correct order, wait until the network and the mounts are there.
You have to put some effort in but it’s not that hard. And for me it’s turned out to be pretty reliable and low maintenance.
I guess ‘Reject All’ means just ‘reject all of the above’, and there are are additional terms that are binding, they just spared you from handling those with this popup, or why is that kind of thing legal?
Or the idea of the title and text was to create a paradox like: The following statement is true. // The preceding statement is false.
At least they are (forced to be) honest ¯_(ツ)_/¯
I like the rest of the wording, too. They’d like to process arbitrary data from the device. And third parties act out of their own motivation as long as it is their legitimate interest…
Use ‘REJECT ALL’.
I don’t know why you feel it’s necessary to write that several times. Yes, Matrix doesn’t enforce e2ee, that’s why I said you’d need to make sure to enable it. But what is your point? You can use Matrix how you like, with or without, make it secure or not. Sure that has implications. But Lemmy is also not end-to-end-encrypted. Neither is a private conversation in my livingroom… Other messengers have features to backup or restore keys, or to flag and moderate posts, which may in some cases circumvent e2ee. Or not. So what’s your jist? Would you like us to use a different messenger? I’d be happy to hear constructive arguments. I also had issues with niche clients not supporting encryption or not supporting emoji verify since they aren’t forced to implement it.
Not in the technical sense. I mean you can choose if your data packets traverse the Atlantic, but I don’t think that’s noticeable in a messenger. It changes the legislation, though. Since you mentioned security and privacy as goals… There are laws server admins have to abide to. And these laws vary greatly amongst countries. For example the whole EU has stricter privacy laws than most of the US. And there are things like lawful interception, the intelligence apparatus and general surveillance. I’d keep that in my mind when looking for the most secure server.
You might want to use https://servers.matrix.org filter by “Longstanding” and maybe your country and read the privacy policies.
If you google you also find people’s recommendations like on https://tatsumoto-ren.github.io/blog/list-of-matrix-servers.html Maybe check those.
Oh, that’s quite some requrements. I honestly don’t know, I operate my own small instance for me and my family. I just wanted to add that matrix is supposed to be end-to-end encryped. So if you activate that in your chats and rooms, the server operator can’t read your messages anyways. But they can collect metadata. For example they know when and who you’re texting and they know where you’re connected from. But they can’t see the actual messages.
I’m not sure if I agree with most of the premises. Security and privacy require extensive concepts and include several measures. It’s difficult to single out one detail and make absolute statements about it without taking into consideration the context and rest of the setup. Also both depend on the exact threat scenario and it’s difficult to say anything on the matter without defining the threat scenario first.
An old-fashioned adblocker has some advantages over the newer variants and DNS blocking. It can rewrite the websites and remove most trackers, ads and annoyances even if they’re on the same host. A DNS blocker / VPN can only do that if the tracker runs on a dedicated, distinct domain. And many services nowadays don’t do that. You lose those blocking abilities.
Sure an adblocker is software and thus has vulnerabilities and issues. But why make the cut here? Why not trust uBlock which is open-source, well used by millions of people and has more than one pair of eyes looking at it and a good track record… But trust the browser which is a ridiculously complex piece of software with millions and millions of lines of code and runs with even more permissions? Ontop an even more complex operating system that has access to everything and is often designed by companies that make a living by collecting user data?
And I don’t think a VPN is good per se. It also adds more complexity and a whole new company in the mix that now handles your traffic. Could be better than your ISP, could also be worse. Sure, it obscures your IP. But I’m sure most VPN providers have to abide by the law and do lawful intercept. As do internet service providers. So depending on the threat, there might not be any benefit over not using a VPN. And there are a lot of VPN offerings and different flavors. Not all of them are good. You could jeopardize your personal information by choosing the wrong one. It adds a layer of privacy under the condition that the company doesn’t keep logs, doesn’t collect user data and has their customer database and payment details decoupled from the network infrastructure.
And the privacy of VPN use depends on other measures. If you use social media, login to a google account, ckeck your mail, don’t filter trackers or use an Android or Apple phone that uses their services for push notifications, connectivity checks and all sorts of services… Your VPN IP will be known to said companies. And/or your username or other identifiers. They can correlate data, analyze your behaviour pretty much the same way as if it were an ordinary internet connection. It doesn’t help against browser fingerprinting, cookies etc. And the metadata that is for example collected by instant messengers or other “free” services also is the same and also still tied to your account.
I really don’t see much of a benefit in using a VPN considering today’s technology and the way online services and data collection works. Also their DNS filterlists are also still “badness enumeration” and the same concept as the adblocker filterlist.
And I always like to tell people security and privacy aren’t the same. Sometimes things even oppose each other. For example you could be using a secure Linux distribution and a privacy protecting browser. Now, without additional measures, you’re easily recognized everywhere because only a fraction of the internet users use a setup like that. Combine that with a VPN and a nonstandard DNS that is provided by your VPN provider (and not 8.8.8.8 like most people type in) and you’re singled out even more. (And using Google’s DNS sends your requests to Google, so that’s also not good.) There are additional techniques to migitate for things. In this example faking the browser agent. But there are other techniques to invade privacy, migitations and it’s really a complex subject, that doesn’t have a simple answer to it.
So if the statement is: uBlock doesn’t provide absolute privacy nor security, I agree. The remaining statements are too simplistic and probably don’t hold true in real-world scenarios.
And what is the alternative to an Adblocker? No Adblocker?
I think opening a tunnel and forwarding the port through it and opening a port forward directly have about the same security implications. Both end up opening the same port and forwarding the same packets to the same computer. The only difference is with a tunnel there is an extra step in between that slows things down. In some edge cases it may be nice if people can’t directly see your IP but just the one from the tunnel. But that doesn’t matter if it’s only for you and your friends. Might be a concern though if you’re a big live-streamer and fear people DDoSing you. But then there are better alternatives. (for example paying $8 a month for a small VPS.) So I think a tunnel makes perfect sense if you can’t get the port forward running. It just doesn’t add anything to security.
Cloudflare might be a different deal though. They include DDoS protection and filter some attacks. I don’t like cloudflare so I don’t really know the specifics. I think it’s bad for the internet that a good share of the overall traffic is tunneled over a single company’s servers. And I myself don’t need a middleman in my own services. But they certainly must have something to offer or they wouldn’t be as popular as they are…
Sorry, 10.x.x.x is a private IP address range. That can’t be reached from the internet.
Maybe try one of the services that display your IP like https://www.showmyip.com/ or the one mentioned earlier: canyouseeme.org , that one also shows your IP.
I have little info to work on. There are many different providers around the world with very different setups. Some are suitable for port forwarding, some arent. (You could sit behind a Carrier Grade NAT, which makes port forward difficult to impossible.) But you need to figure out your IP first.
All I can say, I run something like you describe… Nextcloud, a reverse proxy and a few other services. I did some port forwards, got a domain that points to my IP and it works fine.
Edit: I use YunoHost on my computer. Its a Linux distribution for selfhosting. I think its a good choice to get your feet warm or if you want a low maintenance setup. It includes Nextcloud and many other services.
But you have to figure out how to access your computer from outside. Either you get your IP and the port forward running, or you have to use a service like pagekite.net or you get a VPN running like almost everyone else here wants to convince you to use. I don’t think a VPN is a good idea except if you only want to use it by yourself and not use all the collaborative features of nextcloud.
I think using Cloudflare isn’t very Fediverse.
You probably need to find a different instance.