One thing that would be useful to understand is the distinction between CMR and SMR

I got a nice deal on the x280 and am happy with it, was also looking at the various X1 carbon. Two criteria I had were I wanted USB-C charging (since I have those chargers around and they can handle these laptops) and a single battery (eg. the T470s I have from work is nice but it has two small capacity batteries that each cost the same to replace as the full size single ones in the carbon and x280). One thing to keep in mind is some of the earlier X1 carbon don’t support NVME SSD (I think it started with 5th gen?)

Edit: another thing to consider is soldered RAM. Part of why my x280 was cheap was it’s only 8gb and can’t be upgraded. Since you’re looking at lighter weight things and using FOSS (and perhaps open to tinkering with things like ZRAM) that might be a useful aspect to focus on because there is probably a glut of such machines given how memory inefficient things are lately with every trivial app running a whole browser engine. OTOH, depending how many tabs you tend to have open and how many electron apps you tend to keep floating around, 8gb might start to feel cramped. Especially if you think you might want some VMs around.

More detail / similar concepts if you’re not a video person: https://www.centerforbuilding.org/blog/we-we-cant-build-family-sized-apartments-in-north-america

They published this in Popular Mechanics in 1912, we’ve been ignoring this for a long time:

The furnaces of the world are now burning about 2,000,000,000 tons of coal a year,” the article reads. “When this is burned, uniting with oxygen, it adds about 7,000,000,000 tons of carbon dioxide to the atmosphere yearly. This tends to make the air a more effective blanket for the earth and to raise its temperature. The effect may be considerable in a few centuries.

https://books.google.ca/books?id=Tt4DAAAAMBAJ&pg=PA341&dq=carbon+climate&hl=en&sa=X&redir_esc=y#v=onepage&q=carbon climate&f=false

Also, this Wikipedia article has a good summary on the overall arc of our understanding: https://en.wikipedia.org/wiki/History_of_climate_change_science

The app, in the scenario where we’re trusting the author/store, is only part of the surface to the extent it’s exposed to a potentially malicious payload. eg. a trusted solitaire game using a vulnerable API doesn’t exacerbate that vulnerability because it doesn’t expose it to untrusted input whereas a PDF viewer would because the PDF could be coming from anywhere…

Really appreciate you taking the time to write that. I have a sense of most of that (“defense in depth” and “threat model” are good lenses to think about such things through for sure!) but what I was trying to get a better grasp on was how much risk from automated attack was a normal person without worries of an “advanced persistent threat” taking on by using a device past EOL. Like you say, “Quantifying how much of a difference it makes is not trivial” so I feel less conflicted to know that you’re comfortable with your dad taking that risk.

I would think that the main thing at stake for a typical user isn’t just browsing history or email though but rather identity theft since a successful attacker can use the device to get through 2FA.

It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren’t pulling in random untrusted content are far less of an attack vector (eg. one’s bank app isn’t connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)

Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn’t necessarily mean “giving up bluetooth entirely”, just not using it when you’re in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.

Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we’re vaguely covered by our vendor. I think you’ve convinced me to subscribe to CVEs for android too, I’ve only had alerts for my browser. Really too bad they don’t make smaller Pixels.

I don’t think they are things that can be fixed on the app level?

Indeed not. So I’m trying to better understand how vulnerabilities at the system level are exploited. It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured.

Based on this thread I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their attack surface.

Thanks, that’s encouraging and very relevant. Looks like it was introduced in Android 10 and aside from “Project Mainline” is referred to as “modular system components”: https://source.android.com/docs/core/ota/modular-system

Can you shed more light on what someone would be risking by continuing to use an EOL device? You say you don’t advise it, but it’d be helpful to elaborate on why.

It seems like the increased vulnerability would be relatively limited: I presume the browser and messaging are by far the most common vectors and those would be as up to date as ever but I can see how exploiting an unpatched vuln there on an unsupported device could have more impact as it would give more options for privilege escalation.

Otherwise it’d be something RF based. Aside from widely publicised things like BlueBorne (that we should be keeping an eye out for anyway), is it a reasonable concern that there are identify theft rings employing people with modified hardware wandering around subway systems trying to exfiltrate credentials from devices with specific vulnerable basebands? Seems like Android also offers some defence in depth there that’d make it unlikely enough to ensure it wouldn’t be worth their while?

There are a few technologically disinterested people in my life that I advise (as is no doubt the case for many here) and I don’t know how strongly to push for them to get new devices once theirs fall out of support. Most of them are quite content with what they’re using and are not in the habit of installing apps (and will reliably ask me first) so they really would be replacing the device solely for the updates. In some cases it’s not only the time and effort to decide on a replacement and get things transferred over but the expense can also be a burden. So I don’t want to raise the alarm lightly.

Good point! And ya, when I open umatrix on a comment thread I see a whole menagerie of instances serving me images as I guess that goes for the profile image too.

But I find that somehow less concerning as they just know “someone at this IP viewed this thread containing these images” than “the user at this IP wrote this comment (or post)”.

Hmmm, but if DMs allow images and they work like this, a user with their own instance who wants to know which IP wrote a comment could perhaps send a message to the author with a unique image…

I’ve enjoyed runbox.com for years but don’t think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that

Basically it seems riskier–my understanding was that small caps have a higher volatility which fits my intuition that on top of the additional risk for smaller businesses, a cap-weighted small-cap index like VB is going to get caught up in random faddish shenanigans like GME. I did consider “factor” funds that try to compensate for that like AVSC but wasn’t confident it’d be worth the higher MER.

Whereas an equal-weight S&P 500 looks like a bit of a mid-cap tilt and a bit of a value tilt but generally more conservative than funds weighted that way in earnest.

Heh, I think that’s a bit of a false dichotomy. What about the option I refer to above eg. two ETFs: VGRO and RSP ie. at no point did I ever contemplate balancing 500 equities:

I’m probably going to use an equal-weight ETF like RSP or EUSA for this portion

Hi! Thanks for getting this going, I looked for it a few weeks ago but no one had made a similar community yet (eg. nothing like r/PersonalFinanceCanada nor r/CanadianInvestor). So for my ETF question I created !investing@lemmy.ca to have at least a placeholder for people wondering where to post such content here but did approximately zero to promote it or populate it with content which worked out like you’d expect. I didn’t even pick a funny image for the sidebar.

So I wonder if I should just close that rather than fragment what might be a fairly limited community? Or is it worth having separate subs as they are different yet related topics—at least on Reddit I preferred to subscribe to the investing one as that was my primary interest and PFC is quite a high traffic sub with a lot of questions not relevant to my lifestyle (eg. I have no car, real estate, insurance, children and no specific plans to acquire them).

Just because we want thoughtful regulation does not mean we support Meta and Alphabet. Why is this fascinating or surprising? Do you think the EFF is a huge fan of link taxes or Facebook?

Read it over and want to thank you for taking this on, it’s a good start covering most / all of what one would expect to be laid out in something like this. Tedious but well worth doing! I do think for the official policy it might well be worth the community crowdfunding a lawyer who has solid experience in such things, maybe EFF can help and we can do a sort of donation drive for them or similar?

Don’t have tonnes of specific advice but a few things stood out:

Retain the IP addresses associated with registered users no more than 12 months.

Seems pretty long and I know this is a template so I imagine smorks will aim for much less given that he even makes an attempt to anonymise nginx logs. I think we might want to keep the template lower too just to nudge people in the right direction?

You also understand that although there are controls to prevent the distribution of your email and IP address, due to the nature of federated services, all of your engagement on this platform should be considered public.

I think this is a key point but the “although” calls the security of ip/email into question and seems to potentially lump it in with the other stuff. Maybe split them out somehow?

{{your_instance_name}} makes every effort to secure your email and IP address and limit access to them. Due to the federated nature of this platform, we cannot provide similar guarantees for your direct messages as they are exposed to other instances outside of our control so it is best to consider them potentially public along with any other interactions you make.

Which does cause me to wonder: how is voting federated, do other instances see which users up/downvoted a comment from lemmy.ca or does lemmy.ca just provide vote totals for the instance?

And I think a plain language add-on explainer thingy is great, the fediverse is a bit confusing. I found your draft a bit long and a bit, I dunno, overfamiliar? Not saying I could do better, it’s just a hard thing to be conversational without being twee I suspect. Definitely respect your making the effort, it’s a worthwhile contribution in its own right and lays out what’s valuable and different about this space along with its limitations. Although it might be scope creep to include quite so much detail about how Alpha, Meta, etcetera. operate I like your concise explanation of “they’re probably not listening because what they do with metadata is kinda more powerful”. I often struggle with this as that “I know, it’s like they listen!” is a common reaction that people have in support of my aversion to eg. installing Meta’s apps on my phone.

On second though, I wonder if this could be even more general and just a really polished version explaining the overall gist of the platform that instances can link to at joinlemmy.org. Like a section 1b “Why federated?” after https://join-lemmy.org/docs/index.html#introduction

It’s not the only IXP, just the largest.

It’s not really any particular problem, I just think it’s the sort of thing that’s worth being aware of at least. So I pointed it out. I did overhype the headline (should have put the building housing a key part…) but did indicate in the post that they bought the building and not control of TorIX itself and that

While that’s not necessarily an issue, I kinda figured it was at least a little bit notable but I’ve not seen it mentioned aside from an investment context.

It was also an opportunity to highlight Bell’s unnecessary sending of traffic through the US which I think should have a higher profile though I’m not a strident nationalist and might actually be sorta okay with it if it was actually legit more efficient or something but it sounds like it’s done for business reasons eg. to pressure smaller players into private peering.

I’d like to see infrastructure have a higher profile in general. I really appreciate connectivity, electricity, running water, roads, etc. and thing the investments we make there pay off. But it seems to often fall prey to being easily underfunded in favour of some attention grabbing but ultimately underwhelming pet project calculated to garner votes. Like tech debt being swept under the rug in favour of shiny features.

It’s just the building, seems fine really but like, maybe less of a non-event than the almost no attention it appears to be getting.

Or you mean the part where Bell unnecessarily routes Canadian traffic through the US just cause they can get paid more that way? Ya that doesn’t seem good to me either but has been widely known for years now and apparently we’re okay with it.

True, I do value public broadcasting and support it through my taxes so ya, CBC and TVO. I was mostly just thinking of things I had to opt into paying and brought that up in the larger context that you don’t need a state or a massive corporation to produce quality journalism. And so if our state fails to extract a bailout from American tech companies to satiate our bloated media corps I’m pretty confident we’ll be okay.

foreign corporations are extracting most of the profit from local journalism simply by hosting links to the content,

I don’t believe they are getting particularly much revenue from journalism. I think that’s why their reaction to this is just to block the links being posted: it won’t really affect their bottom line. A blip. Even if Cali does it, people will just post memes or screenshots of headlines or w/e.

And sure, hosting links to those news stories is mutually beneficial, except that almost no one clicks the links. The headline, teaser and photo are scraped and displayed on the third party app, and that’s all anyone cares to look at.

Indeed, few of us spend much time reading the news. Especially actual investigative journalism and not just what amounts to entertainment content. Saw an article recently saying that Canadians level of interest in news media is even going down from what was presumably a fairly low baseline (see how easy it is to get by without links?)

I think there is a silver lining to this though: it doesn’t cost that much to make the kind of news that’s important. It’s certainly not free but you mainly need to pay a few talented and driven people enough salary to support them while they doggedly pursue the truth. You don’t need a massive printing press and a delivery fleet like in past. So news doesn’t need to be corporate. News doesn’t need to be Reddit, news can be Lemmy.

If something is happening, those of us who pay attention should be linking to it when it’s important. And should be linking to quality sources.

I live in Toronto, recently some protected lands were going to lose their protection and the circumstances around it were suspect. The most in depth journalism on the topic was this piece from a very small donor-funded org that investigates environmental issues: https://thenarwhal.ca/ford-ontario-greenbelt-cuts-developers/

Indeed, the federal government has an excellent program that supports this model (and that very publication) – it allows news orgs to be recognised as tax-deductible charities if they meet certain criteria, effectively amplifying the impact of those of us who think it’s worth paying for news to exist:

https://www.canada.ca/en/revenue-agency/services/charities-giving/other-organizations-that-issue-donation-receipts-qualified-donees/other-qualified-donees-listings/list-registered-journalism-organizations.html

I do value journalism, and I do think more people should care and I think we should be linking to it everywhere we think we might be able to engage our fellow citizens with what’s going on around us.

I don’t especially value corporate manipulation and lobbying which is what I see from things like Postmedia, which owns way too many newspapers: https://en.wikipedia.org/wiki/List_of_newspapers_in_Canada

A for-profit business is seeking profit first. That necessarily distorts journalism. Especially when the business model is based on ads. I’d rather support a smaller, more focused sort of news gathering. And it’s better if more of us donate, they should beholden to a large sampling of the minority of us who think it’s important journalism happens and not to shareholders.

Currently I contribute to: Canadaland, The Local, The Narwhal, and The Tyee. I also pay for The Guardian because they don’t have a paywall.

I’d like to support the Toronto Star and The Globe and Mail but they have paywalls so I’d have to log in to read them and then they’re associating my reading habits with my identity and selling it to advertisers. That business is gross. Much like what Facebook and Google do. I don’t want to support that. Plus I can’t link people to the paywalled news. And I think it’s important to be able to do that: it’s all the more important to have it there for the few people who will click through and become informed precisely because, as you said, most people won’t. And I don’t see pay-for-links helping; if the platforms eventually cave and start supporting that scheme, won’t it just encourage vapid Buzzfeed style clickbait as they try to get as much link juice as possible?

So I want to pay not for access to the news, but for the news to exist for everyone because I believe it’s important. And I think it would probably be good for society if ad-funded news died. Any other publications I should be supporting and linking to?