NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.

I switched from Tailscale to headscale, and I still would suggest Tailscale to anyone. It’s just really done well and they seem to actually love that self-hosters and hobbyists use their stuff.

Well, that’s what you are doing with ssh tunnels and remote browsers. If you want separation, they can put your computer in their router’s DMZ (demilitarized zone), so it doesn’t have access to their devices. Additionally, If you use the Tailscale IPs (or host names) instead of their local IPs on his network, they won’t ever change.

Yes. EBay and Amazon have a certified refurbished thing with warranties for a little more money, or monitor local classified sites if you can inspect them. I’ve bought a couple off Kijiji here in Canada, which is a bit like Craigslist and Facebook marketplace. The sellers didn’t advertise that they were a business selling off-lease stuff, but you can tell by the number of laptops they post.

Find out if there are any corporate off-lease machines being sold in your area. USFF machines are frequently used as mini desktops or point of sale computers then sold off for peanuts when warranties are done. Especially look at i3-8xxx generation, as they don’t support windows 11 fully.

You are talking out of your ass. First, a timing attack requires numbers to correlate - reasonable numbers of people using a node or server and a LOT of packets going back and forth. Neither are true for a Signal server. Second, they don’t get the phone numbers if contacts are using only their username (with phone number sharing disabled). Your criticisms are over the top and not at all nuanced to the degree of protection of metadata that was built into signal. If it was as bad as you imply, a whole heck of a lot of the most respected security researchers would have to be complete idiots.

That a timing attack could be successful is not a given. It’s a possibility, yes, but there is very likely sufficient mixing happening to make that unrealistic or unreliable. An individual doesn’t create much traffic, and thousands are using the server constantly. Calling it a honeypot or claiming the phone number and device is are available is a stretch.

Timing attacks can work in tor when you are lucky enough to own both the entrance and exit node for an individual because very few people will be using both, and web traffic from an individual is relatively heavy and constant to allow for correlation.

That’s not exactly true. See Sealed sender: https://signal.org/blog/sealed-sender/

At least in theory, this is mitigated. The signal activation server sees your phone number, yes. If you use Signal, the threat model doesn’t protect you from someone with privileged network or server access learning that you use Signal (just like someone with privileged network access can learn you use tor, or a vpn, etc).

But the signal servers do not get to see the content of your group messages, nor the metadata about your groups and contacts. Sealed sender keeps that private: https://signal.org/blog/sealed-sender/

You would obviously want to join those groups with a user Id rather than your phone number, or a malicious member could out you. It’s not the best truly anonymous chat platform, but protection from your specific threat model is thought through.

edit: be sure to go to Settings > Privacy > Phone Number. By default anyone who already has your phone number can see you use signal (used for contact discovery, this makes sense to me for all typical uses of Signal), and in a separate setting, contacts and groups can see your phone number. You will absolutely want to un-check that one if you follow my suggestion above.

It’s insane that this is even needed. Show me ads for things relevant to the content of the web page and nothing else. If I’m reading about furnace filters, sure, show me an ad for buying furnace filters, I might buy from you, but don’t follow me around for 2 weeks shoving furnace filter ads in my face. If I’m not reading about them anymore, I’ve moved on.

The added benefit of this approach for advertisers would be that you can literally embed the ads in the page, making ad-blockers ineffective. They literally chose the worst method for everyone involved.

Entropy is calculated from the character set size to the exponent the length of the string: E = log2(R^L). A long string of numbers can have more entropy than a shorter alphanumeric string with special characters. I looked it up and apparently their account number is 16 digits. That’s 53 bits of entropy, which is not guessable. Someone brute forcing would have quadrillions of login attempts to try.

Wireguard is just the vpn software, not a service. Most of these services are running wireguard under the hood now because it’s so good. You can also use wireguard yourself to connect your own machines together, (or friends machines, allowing file sharing like a LAN) but that doesn’t help you with torrenting.

Unless you are willing to do the math, “no entropy really” deserves a [citation needed]

Yes it is. Signal isnt PGP email. A lot of work went into protecting metadata.

What is the threat model where this matters? You have to trust the recipient with Signal. The only one I can think of is the case where your recipient is using a compromised fork and is unaware. In this case, talking about the tool and checking with them about what they are using is really the only countermeasure.

Yes, all while he’d have a private chef and a staff that keep him safe.

As a thought experiment: what would have happened if instead of a public health regulation approach, we dealt with restaurant safety by providing a few safe places and advocating everyone go there if they don’t want salmonella or e-coli poisoning. We’d have people ignorant going to the dangerous places, others misinformed or in denial, and a flood of misinformation that food poisoning is either “fine” or there’s no avoiding it anyway so best not to worry.

Thanks, I like it. The downside is that the VPS can see the content of my services, so it’s no good if you don’t trust the VPS provider, or if the content is too sensitive to allow that. I think it’s a good trade-off for my usage though. Performs well. One of the services I proxy is a rpi serving images downloaded from weather satellites. Connecting directly to the pi is super slow, but the proxy caching makes it 100% faster.

I’ve noticed that more and more, interesting new projects have nix, appimg, pkg, and docker releases. So on Debian, I need to rely on non-native packages or compiling more frequently than before. Not a big issue, but it’s a new awkwardness I wasn’t used to.

I use a $2 VPS in Quebec that proxies my home stuff over Tailscale. It uses Caddy and does the TLS encryption and caching. It has the providers DDOS protection, plus I have configured the firewall to have some further protection.

It could also just directly forward TLS packets over any sort of VPN if you didn’t trust the VPS provider or wanted to reduce cpu load.