BuoyantCitrus

cross-posted from: https://lemmy.ca/post/1926125

Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what's the actual risk of using an Android phone on a stock ROM without updates? What's the attack surface?

It seems like most things that'd contact potentially malicious software are web and messaging software, but that's all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it'd be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn't just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I'm not at all an Android developer though, perhaps this is very naive and I'm missing something major?

Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what's the actual risk of using an Android phone on a stock ROM without updates? What's the attack surface?

It seems like most things that'd contact potentially malicious software are web and messaging software, but that's all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it'd be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn't just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I'm not at all an Android developer though, perhaps this is very naive and I'm missing something major?

cross-posted from: https://lemmy.ca/post/653849

I'm trying to follow conventional wisdom and have more and more of our portfolio as straight up VGRO but want some more US exposure (though I am aware there are arguments in favour of a home-country bias). I was also interested in picking a USD fund as not only do they tend to have a lower MER but also get an extra boost from witholding tax exemption if I hold them in an RRSP.

An S&P 500 fund seems the way to go, but it seems awfully slanted towards giant tech megacaps. Apple alone is over 7% of VOO. With a P/E over 31 it's hard for me to feel like there's not extra risk with the concentration here--is it really such a safe bet to think the largest company in the world has that much more growth ahead of it? And VGRO already has a solid chunk of cap-weighted exposure.

And so, after my inexpert research failed to dissuade me, I'm probably going to use an equal-weight ETF like RSP or EUSA for this portion---there are no penny stocks on the S&P 500 and it doesn't seem to perform much worse (and indeed better depending how far back you test). At this point I'm more comfortable with either of those than VOO and will probably do this just for the irrational psychology, but I do wish there was something that combines an equal weighting with a screen for quality (something like SPHQ) as a big drawback seems like for as much concentration risk as it avoids it also keeps rebalancing more and more into failing companies as they crash and burn.

Anyone else subscribe to a similar reasoning and incorporate an equal weight fund into the passive portion of your portfolio? Which one did you go with?

Our new mayor faces an uphill battle, this TVO piece lays it out well. And that's not even counting the potential for active sabotage like what Bob Rae ran into.

Allied Properties sale of their data centre portfolio to KDDI includes 151 Front Street W., the site of TorIX which is the main Internet Exchange Point for the country. While that's not necessarily an issue, I kinda figured it was at least a little bit notable but I've not seen it mentioned aside from an investment context.

Unfortunately, it seems like it's less consequential than it should be because Bell Canada apparently still refuses to peer at TorIX and only connects to other ISPs through the US which means that eg. if I'm on Rogers in Toronto and you're on Bell, any communications between our computers have to flow through American controlled systems even though we're in the same city because that's how Bell chooses to have things set up.

Whereas, for pretty much everything else in Toronto, it'd move between networks via TorIX. Which is now in a building owned by a Japanese company instead of a Canadian REIT.

There's an election soon in Toronto! A publication I like has some detailed profiles on the candidates but I bet others do too. Seems like it'd be best to start a thread and collect links to that kind of coverage in top level comments.

It'd be nice to (eventually!) see a link laying out a privacy policy for the instance, something like: https://newsie.social/privacy-policy

I'd especially be interested to know how long you associate the IP addresses we visit from with our accounts, who can see that info (and our emails), what other PII you store, and how long deleted posts/accounts are stored for.

(Totally get and very much appreciate that smorks &co have a lot on their plates just getting this place off the ground, not trying to demand additional work, just a suggestion. Seems like it'd take some thinking to balance with eg. a good backup regimen.)

...and it's apparently a "trophy"?

Was curious about whether someone could extract my password from Jerboa on my phone but didn't get any response there. Maybe you guys have some idea? Does Lemmy even offer an auth mechanism that could prevent this, is one in the works?

cross-posted from: https://lemmy.ca/post/652328

I noticed that Jeroba didn't seem to switch to a different site the way Relay passed through to Reddit so I could log in and link it via OAuth. From that I take it that when I authenticate in Jeroba I'm entrusting it with the cleartext password for my lemmy account which it's storing on my phone?

I'm sorta okay with that especially for now (eg. alpha) so I proceeded with things but maybe it should be more clear up front that's what's happening? And really, any of the other apps could probably have faked that OAuth page anyhow so it's dubious if you were really trusting the app all that much less in that case.

However, one thing OAuth had going for it was that would make it a lot harder for someone who steals my phone to permanently take control of my Reddit account whereas they could extract my password from Jeroba and use it to take over my lemmy account?

Looked through the docs a bit and it's not really clear to me: I'm posting this on lemmy.ca, does that mean only that instance knows my IP? Or does every instance it federates with get my ip alongside this post?

This seems maybe important, did I miss a privacy guide to Lemmy someplace? Cursory searching didn't come up with much official. Are there other aspects we should be thinking about here? I'd come across some mention of deleted posts being still available everywhere they were sent but that sorta makes sense -- hard to "unpublish" anything.